First Hop Redundancy Protocols (HSRP, VRRP)

First Hop Redundancy Protocols (FHRP): HSRP, VRRP & Load Balancing

Why First Hop Redundancy Protocols Matter

In enterprise networks, the default gateway is a critical single point of failure. If a router fails, all devices relying on it as their gateway lose connectivity to other networks. First Hop Redundancy Protocols (FHRPs) solve this by creating virtual routers that automatically handle failover when the primary gateway fails. This ensures high availability and network resilience—critical requirements for mission-critical environments assessed in the CCNP ENCOR exam.

What is a First Hop Redundancy Protocol?

An FHRP is a mechanism that allows multiple physical routers to share a single virtual IP address and MAC address. Devices on the network use this virtual gateway instead of a specific physical router. When the primary router fails, another router automatically assumes the virtual identity, maintaining seamless connectivity.

Common FHRP Implementations:

• HSRP (Hot Standby Router Protocol) - Cisco proprietary, industry-standard in Cisco environments
• VRRP (Virtual Router Redundancy Protocol) - IEEE 802.3ad standard, vendor-neutral
• GLBP (Gateway Load Balancing Protocol) - Cisco proprietary, provides active load balancing

HSRP (Hot Standby Router Protocol) Deep Dive

HSRP Fundamentals

HSRP was developed by Cisco and operates by electing a primary router (active) and a secondary router (standby). Devices send traffic through the active router. If the active router fails, the standby router takes over within seconds.

HSRP Election Process

Priority: Routers are elected based on priority values (0-255, default 100). Higher priority wins. If priorities are equal, the router with the highest IP address becomes active.

Election Criteria (in order):

1. Highest priority value
2. Highest IP address (if priorities are equal)
3. MAC address is derived from the virtual IP

HSRP Versions

HSRPv1:

• Supports IPv4 only
• Uses multicast address 224.0.0.2, UDP port 1985
• Maximum 256 groups per interface
• Hello interval: 3 seconds (default)
• Dead interval: 10 seconds (default)

HSRPv2:

• Supports both IPv4 and IPv6
• Uses multicast address 224.0.0.102, UDP port 1985
• Maximum 4096 groups per interface
• Same timers as v1 but more efficient
• Better for large-scale deployments

HSRP Virtual IP and MAC

The virtual IP address is configured on the FHRP group. The virtual MAC address is generated as:

00:00:5E:00:01:[group-number]

For example, HSRP group 1 has MAC: 00:00:5E:00:01:01

HSRP States

Initial: Learning state after startup

Learn: Router learns the virtual IP and waits for hello packets

Listen: Router monitors active and standby routers

Speak: Router actively participates in elections

Standby: Router is ready to take over if active fails

Active: Router is the primary gateway

VRRP (Virtual Router Redundancy Protocol) Deep Dive

VRRP Fundamentals

VRRP is the open-standard alternative to HSRP, defined in RFC 3768 (IPv4) and RFC 5798 (IPv6). It operates similarly to HSRP but with some key differences.

VRRP Master Election

VRRP uses Priority (0-255) and Preemption to elect a master router. The router with the highest priority becomes the master.

Key Difference: VRRP has preemption enabled by default, meaning if a higher-priority router comes online, it immediately takes over. HSRP has preemption disabled by default.

VRRP Virtual IP and MAC

Virtual MAC address format:

00:00:5E:00:01:[VRRP-ID]

VRRP allows the virtual IP to be the same as the master's real IP, simplifying configuration.

VRRP Timers

Advertisement Interval: 1 second (default), much faster than HSRP's 3-second hello

Master Down Interval: 3 × Advertisement Interval + skew time

VRRP uses multicast address 224.0.0.18, protocol number 112

VRRP States

Initialize: Router starts up

Backup: Router is waiting to become master

Master: Router is the primary gateway

HSRP vs VRRP Comparison

HSRP Configuration Walkthrough

Basic HSRP Configuration

On Router 1 (Primary):

Router1(config)# interface GigabitEthernet0/0
Router1(config-if)# ip address 192.168.1.1 255.255.255.0
Router1(config-if)# standby version 2
Router1(config-if)# standby 1 ip 192.168.1.254
Router1(config-if)# standby 1 priority 110
Router1(config-if)# standby 1 preempt

On Router 2 (Secondary):

Router2(config)# interface GigabitEthernet0/0
Router2(config-if)# ip address 192.168.1.2 255.255.255.0
Router2(config-if)# standby version 2
Router2(config-if)# standby 1 ip 192.168.1.254
Router2(config-if)# standby 1 priority 100
Router2(config-if)# standby 1 preempt

HSRP Timers Configuration

Router(config-if)# standby 1 timers 2 8

This sets hello to 2 seconds and dead to 8 seconds. Use lower values for faster failover but with increased CPU overhead.

HSRP Authentication (MD5)

Router(config-if)# standby 1 authentication md5 key-string MySecureKey123

Tracking External Events

HSRP can reduce priority if a critical interface/link goes down:

Router1(config-if)# standby 1 track GigabitEthernet0/1 decrement 20

If Gi0/1 goes down, this router's priority decreases by 20, allowing the standby to take over.

VRRP Configuration Walkthrough

Basic VRRP Configuration

On Router 1 (Master):

Router1(config)# interface GigabitEthernet0/0
Router1(config-if)# ip address 192.168.1.1 255.255.255.0
Router1(config-if)# vrrp 1 ip 192.168.1.254
Router1(config-if)# vrrp 1 priority 110

On Router 2 (Backup):

Router2(config)# interface GigabitEthernet0/0
Router2(config-if)# ip address 192.168.1.2 255.255.255.0
Router2(config-if)# vrrp 1 ip 192.168.1.254
Router2(config-if)# vrrp 1 priority 100

VRRP Timers Configuration

Router(config-if)# vrrp 1 timers advertise 2

Sets advertisement interval to 2 seconds (minimum is 1 second).

VRRP Authentication

Router(config-if)# vrrp 1 authentication text MyPassword

How FHRP Failover Works

Step-by-Step Failover Process

1. Normal Operation: Active/Master router sends hello packets every 3 seconds (HSRP) or 1 second (VRRP) to backup routers.

2. Failure Detection: Standby/Backup router misses consecutive hello packets and the dead interval expires.

3. Election Trigger: Standby/Backup router initiates election process.

4. New Election: Remaining routers compete based on priority, with highest priority becoming active/master.

5. Assumption: New active/master router takes ownership of virtual IP and MAC address.

6. Traffic Redirection: Clients' ARP tables may need updating (gateway sends ARP announcements with new MAC).

Total Failover Time (HSRP): Typically 3-10 seconds depending on hello/dead intervals.

Total Failover Time (VRRP): Typically 1-3 seconds due to faster advertisement.

Advanced HSRP/VRRP Concepts

GLBP (Gateway Load Balancing Protocol)

GLBP extends FHRP by allowing active load balancing across multiple routers, not just failover. Multiple routers actively forward traffic proportionally.

GLBP Features:

• AVG (Active Virtual Gateway) - one per group
• AVF (Active Virtual Forwarder) - up to 4 per group
• Clients round-robin through multiple virtual MACs
• True load balancing, not failover-only

Tracking and Object Management

Advanced tracking monitors specific interfaces, routes, or IP addresses and dynamically adjusts FHRP priority.

Tracking Types:

• Interface state (up/down)
• IP route reachability
• Object state from other devices

Multiple FHRP Groups on Single Interface

An interface can run multiple FHRP groups simultaneously, enabling asymmetric load balancing. For example:

Group 1: Router A is active, Router B is standby
Group 2: Router B is active, Router A is standby

Traffic is distributed across both routers automatically.

Common Exam Scenarios & Troubleshooting

Scenario 1: Router Won't Become Active

Common Causes:

• Priority is lower than active router
• Preemption is disabled and active router exists
• Interface is down
• FHRP timers misconfigured (mismatched between routers)

Verification:

show standby brief (HSRP)
show vrrp brief (VRRP)

Scenario 2: No Failover on Active Router Failure

Causes:

• Dead interval too long
• Authentication mismatch
• FHRP protocol not enabled on backup

Scenario 3: Flapping (Repeated Active/Standby Changes)

Causes:

• Tracking interface unstable (flapping)
• Poorly configured tracking decrement values
• Network instability

Solution: Review tracking configuration and adjust decrement values to prevent unnecessary role changes.

Scenario 4: ARP Issues After Failover

After failover, devices may still send traffic to the old gateway's MAC address until ARP cache expires. FHRP mitigates this by:

• New active router sends ARP announcements
• Short ARP timeout (typically 240 seconds)
• Devices learn new virtual MAC-to-IP mapping

Exam Tips: Answering Questions on First Hop Redundancy Protocols

Tip 1: Know the Terminology Differences

HSRP terminology: Active, Standby, Priority, Preempt
VRRP terminology: Master, Backup, Priority, Advertisement Interval

Exam questions often test your ability to distinguish between HSRP and VRRP using correct terminology. If an answer says "VRRP backup" or "HSRP master," it's likely wrong.

Tip 2: Understand Default Behaviors

Critical exam point: HSRP has preemption disabled by default, while VRRP has it enabled by default. This single difference changes how routers behave when they come online.

Questions like "Router A with priority 200 comes online after recovery. What happens?" depend on preemption settings and FHRP type.

Tip 3: Master Priority Election Rules

Remember the election order:

1. Highest priority number wins
2. If equal, highest real IP address wins (for both HSRP and VRRP)
3. Default priority is 100 (HSRP) or 100 (VRRP)

Exam questions often present tie-breaking scenarios. Know that IP address, not MAC address, breaks ties.

Tip 4: Timers and Convergence Time

Know the default timers:

HSRP: Hello 3 seconds, Dead 10 seconds
VRRP: Advertisement 1 second, Master Down ~3 seconds

If an exam question asks "What's the maximum failover time?" answer based on the dead/master-down intervals. Faster timers = faster failover but higher CPU overhead.

Tip 5: Virtual IP and MAC Address Rules

Key points:

• Virtual IP is configured explicitly and is separate from interface IPs
• Virtual MAC is automatically generated based on FHRP type and group number
• It's possible to have the virtual IP be the same as the active router's real IP in VRRP (but not recommended)

Questions about IP conflicts or MAC address format test this knowledge.

Tip 6: Differentiate HSRP Versions

HSRPv1 vs HSRPv2 differences often appear on exams:

Know: v2 supports IPv6, has different multicast address, supports more groups. If a question mentions IPv6 FHRP on Cisco, it must be HSRPv2 (VRRP v3 for other vendors).

Tip 7: Tracking Configuration Impact

Understand that tracking an interface and decrementing priority is used to:

• Detect downstream link failures
• Force active router to become standby if a critical link fails
• Ensure backup takes over intelligently

Exam questions may ask: "You want Router A to relinquish active role if its ISP link fails. What command?" Answer: standby 1 track [ISP-interface] decrement [value]

Tip 8: Authentication and Security

Know the authentication options:

HSRP: Plaintext, MD5
VRRP: Plaintext, MD5

Security questions often ask why authentication matters (prevent rogue router from hijacking virtual IP) and how to enable it.

Tip 9: Troubleshooting Commands

Memorize key verification commands for exam scenarios:

show standby [brief | detailed] - Shows HSRP state, timers, priorities
show vrrp [brief | detailed] - Shows VRRP state
show track - Shows object tracking status
debug standby events - Real-time HSRP activity
debug vrrp events - Real-time VRRP activity

Exam might ask "How do you verify which router is active?" Know the output format and what "Active" vs "Standby" means.

Tip 10: Asymmetric Load Balancing Scenarios

Understand how multiple FHRP groups enable load balancing:

Scenario: "You need both routers to actively forward traffic. What do you configure?"

Answer: Multiple FHRP groups where each router is active for different groups (or use GLBP).

This tests your understanding that standard FHRP (HSRP/VRRP) is failover-only, not load-balancing.

Tip 11: Know When HSRP vs VRRP is Used

Exam context clues:

• Cisco-only environment: HSRP is typical (proprietary, well-integrated)
• Multi-vendor environment: VRRP is standard (RFC-based)
• IPv6 required: HSRPv2 or VRRP v3
• Active load balancing needed: GLBP (Cisco) or other methods

Tip 12: Common Wrong Answers to Avoid

Wrong: "VRRP backup router can become active without preemption." → Right: VRRP has preemption enabled by default.

Wrong: "HSRP uses protocol 112." → Right: VRRP uses protocol 112; HSRP uses UDP 1985.

Wrong: "Virtual MAC is configured manually." → Right: Virtual MAC is automatically generated from FHRP type and group.

Wrong: "Highest IP address always wins." → Right: Highest priority wins; IP address only breaks ties.

Tip 13: Configuration Syntax Accuracy

Know exact syntax for exam labs:

standby [group] [command] (HSRP)
vrrp [group] [command] (VRRP)

Off-by-one errors or typos in group numbers can be marked wrong.

Tip 14: Read Questions for Clues

If a question mentions:

• "Cisco routers" + redundancy = likely HSRP
• "Multiple vendors" + redundancy = likely VRRP
• "Load balancing" + Cisco = likely GLBP
• "Fast failover required" + specific timing = may need to calculate with timers

Tip 15: Practice Failover Calculations

Exam question example: "You configure HSRP with hello 2 seconds and dead 8 seconds. How long until standby takes over?"

Answer: Dead interval = 8 seconds (maximum time before failure detected), but typically failover occurs in 8-10 seconds accounting for detection time.

VRRP with advertisement 1 second → master down typically 3 seconds.

Summary Table: Quick Reference

Final Exam Strategy

1. Identify the Protocol: Determine if the question is about HSRP, VRRP, or GLBP from context clues.

2. Know the Defaults: Default priority (100), timers, preemption state—these are foundational.

3. Election Logic: Always apply election rules: priority first, then IP address.

4. State Terminology: Use correct terms (Active/Standby for HSRP, Master/Backup for VRRP).

5. Tracking and Decrement: Understand how tracking influences priority dynamically.

6. Configuration Syntax: Practice exact command format for both HSRP and VRRP.

7. Troubleshooting: Know diagnostic commands and how to interpret output.

8. Performance Impact: Faster timers = faster failover but higher CPU/memory overhead.

9. Version Differences: HSRPv1 vs v2 differences (IPv6, group count, multicast address).

10. Real-World Application: Think about why FHRP matters (redundancy, high availability, non-disruptive failover).