Mental model
Hosts on a LAN have one default gateway. If that gateway dies, the LAN is islanded — even if there’s a perfectly good second router on the same VLAN.
FHRPs (First Hop Redundancy Protocols) solve this by giving the gateway role a virtual IP that any of two or more physical routers can claim. Hosts only ever see the virtual IP; the protocol handles the failover under the hood.
If you haven’t already, read FHRP & HSRP basics first — this topic compares the three FHRPs at a deeper level.
At a glance
| HSRP | VRRP | GLBP | |
|---|---|---|---|
| Standard | Cisco proprietary | IETF (RFC 5798) | Cisco proprietary |
| Mode | Active / Standby | Active (Master) / Backup | Active / Active (load-shared) |
| Default version | v1 (IPv4), v2 (IPv4+IPv6) | v3 (covers IPv4 + IPv6) | v1 |
| Virtual MAC | 0000.0c07.acXX (v1) / 0000.0c9f.fXXX (v2) | 0000.5e00.01XX | 0007.b400.XXYY |
| Hellos sent to | 224.0.0.2 (v1), 224.0.0.102 (v2) | 224.0.0.18 | 224.0.0.102 |
| Timer defaults | Hello 3s, hold 10s | Advertisement 1s, hold 3s | Hello 3s, hold 10s |
| Election tiebreak | Highest priority (default 100), then highest IP | Highest priority (default 100), then highest IP | Highest priority |
| Preemption | Disabled by default | Enabled by default | Disabled by default |
| Load-sharing | No (manual per-VLAN tricks) | No (manual per-VLAN tricks) | Yes — multiple AVFs simultaneously forward |
| Authentication | Plain text or MD5 | Plain text or HMAC-SHA256 | MD5 |
| Tracking | Interface and object | Object | Interface and object |
| CCNA depth | Configure + verify | Recognize + describe | Recognize + describe |
HSRP — Cisco’s everyday workhorse
SW1(config)# interface Vlan10
SW1(config-if)# ip address 192.168.10.2 255.255.255.0
SW1(config-if)# standby version 2
SW1(config-if)# standby 10 ip 192.168.10.1
SW1(config-if)# standby 10 priority 110
SW1(config-if)# standby 10 preempt
SW1(config-if)# standby 10 authentication md5 key-string SecretKey!
SW1(config-if)# standby 10 track Gi0/1
Three things to memorize:
standby <group> ip <virt-ip>— the virtual IP.priority— default 100. Higher wins. Without explicit priority, the router with the highest IP becomes Active.preempt— without this, a recovered higher-priority router does NOT take back the Active role. Most ops engineers forget this.
States: Init → Listen → Speak → Standby → Active.
VRRP — same idea, open standard
SW1(config)# interface Vlan10
SW1(config-if)# ip address 192.168.10.2 255.255.255.0
SW1(config-if)# vrrp 10 ip 192.168.10.1
SW1(config-if)# vrrp 10 priority 110
SW1(config-if)# vrrp 10 authentication md5 key-string SecretKey!
Differences vs HSRP that you should remember:
- Preempt is on by default (you don’t need to type
preempt). - The Master can use a real interface IP as the virtual IP. So priority 255 (= “I own this IP”) means I’m always master, no failover.
- Standard means a Juniper or Arista box can run VRRP with the Cisco gear. Use it any time you have mixed vendors.
VRRPv3 (RFC 5798) covers both IPv4 and IPv6 with one protocol.
GLBP — the only active-active FHRP
HSRP and VRRP have one Active and N standbys. Standbys carry zero traffic. Wasteful if you spent money on two equally capable routers.
GLBP fixes this by load-sharing across multiple Active Virtual Forwarders (AVFs):
- One router elected as AVG (Active Virtual Gateway) — handles the ARP responses.
- Multiple routers register as AVFs (Active Virtual Forwarders) — each owns a different virtual MAC.
- When a host ARPs for the virtual IP, the AVG responds with a different virtual MAC each time — round-robin or weighted.
- Different hosts get pointed at different physical routers. Both routers actively forward.
SW1(config)# interface Vlan10
SW1(config-if)# glbp 10 ip 192.168.10.1
SW1(config-if)# glbp 10 priority 110
SW1(config-if)# glbp 10 preempt
SW1(config-if)# glbp 10 load-balancing weighted
SW1(config-if)# glbp 10 weighting 100 lower 80 upper 95
SW1(config-if)# glbp 10 weighting track 1 decrement 30
GLBP load-balancing methods:
- round-robin — alternates virtual MACs per ARP response.
- weighted — proportional to each AVF’s weight value.
- host-dependent — same host always gets same AVF (stickiness).
Multiple AVFs means multiple paths used simultaneously, but it does NOT mean per-flow load-balance across routers — each flow still sticks to one AVF for its lifetime (the host’s MAC table never changes mid-flow).
Object tracking — same on all three
You don’t want to remain Active if your upstream link died. Track the upstream interface:
! Define a tracked object
SW1(config)# track 1 interface Gi0/1 line-protocol
! Tie HSRP priority to it
SW1(config-if)# standby 10 track 1 decrement 30
! Or VRRP
SW1(config-if)# vrrp 10 track 1 decrement 30
! Or GLBP weighting
SW1(config-if)# glbp 10 weighting track 1 decrement 30
If Gi0/1 goes down, priority drops by 30. If the other router has higher effective priority, it takes over.
You can also track:
- IP route presence (
track 2 ip route 10.0.0.0/8 reachability) - IP SLA probe state (
track 3 ip sla 1 reachability) - Other object boolean combinations
Authentication — don’t skip it
All three protocols accept hellos by default from anyone on the segment. A malicious host can pretend to be a high-priority router and hijack the gateway.
- HSRP MD5:
standby 10 authentication md5 key-string MyKey - VRRP HMAC-SHA256:
vrrp 10 authentication md5 key-string MyKey - GLBP MD5:
glbp 10 authentication md5 key-string MyKey
Always enable in production.
Which to pick — 2026 guidance
| Scenario | Choose |
|---|---|
| Cisco-only environment, single-active gateway is fine | HSRP |
| Mixed-vendor environment (Cisco + Arista, Juniper, etc.) | VRRP |
| You genuinely have spare upstream bandwidth and want both routers forwarding | GLBP |
| IPv6 only | HSRPv2 or VRRPv3 |
| You need sub-second failover | Look beyond FHRP — switch to BFD-driven dynamic routing, or use stack/StackWise Virtual to eliminate the gateway-redundancy problem entirely |
In real life, HSRP is the default in Cisco shops because it’s simple, well-understood, and the load-sharing benefit of GLBP is usually overrated — most enterprise traffic is asymmetric anyway (uplink saturated, downlink less so).
Verification
! HSRP
SW1# show standby brief
SW1# show standby Vlan10 detail
! VRRP
SW1# show vrrp brief
SW1# show vrrp Vlan10 detail
! GLBP
SW1# show glbp brief
SW1# show glbp Vlan10 detail
brief is your default — shows group, virtual IP, state, priority, preemption, active/standby routers in one line per group.
Common mistakes
-
Forgetting preempt on HSRP/GLBP. Configured priority 110, expected this router to be Active — but original Active never gave the role back after recovery.
-
VRRP virtual IP same as a real interface IP. Some platforms allow it, some don’t. Either commit to “virtual IP is its own address” or commit to “virtual IP is the master’s real address with priority 255” — don’t mix.
-
Missing
version 2on HSRP for IPv6. HSRPv1 only carries IPv4. HSRPv2 carries both. -
GLBP load-balance method = round-robin in DHCP environments. Pairs of ARP-from-same-MAC requests can end up with different AVFs — works fine, but stateful flows can get confused if combined with NAT or PBR.
-
Tracking the wrong thing. Tracking
interface line-protocoldoesn’t catch a routing-protocol failure or a downstream IP SLA. Use the right track type per dependency. -
Authentication mismatch. Different key on the two routers → both think they’re Active. Same VIP responds twice; hosts get inconsistent MACs. Always verify keys match.
-
No FHRP at all. A surprising number of campus networks rely on a single Layer-3 switch for VLAN gateways. One reload = one outage. Always at least HSRP, even between two stack members.
Lab to try tonight
- Two L3 switches (or two routers), one VLAN with a host. Each switch has a real IP in VLAN 10 (
.2and.3), virtual gateway.1. - Configure HSRP group 10: priority 110 on SW1, default 100 on SW2. Verify with
show standby brief— SW1 is Active. - From the host, ARP for
.1— note the virtual MAC starts with0000.0c. - Shut down SW1’s interface. Verify SW2 becomes Active. Host keeps pinging (a couple of dropped packets at most).
- Reload SW1. Without preempt, SW1 stays Standby. Add
standby 10 preemptand watch it reclaim Active. - Convert the same VLAN to VRRP. Notice
preemptis now on by default and the virtual MAC starts with0000.5e. - Bonus: convert to GLBP. Add a second host.
show glbp briefshould show TWO AVFs forwarding. ARP from each host — see different virtual MACs. - Bonus: add interface tracking (
track 1 interface Gi0/1 line-protocol) — shut the uplink, watch the active role flip even though the LAN-side interface is still up.
Cheat strip
| Concept | Plain English |
|---|---|
| FHRP | First Hop Redundancy Protocol — gives the LAN a virtual gateway |
| HSRP | Cisco. Active/Standby. Default 100. Preempt OFF by default |
| VRRP | IETF standard. Master/Backup. Default 100. Preempt ON by default |
| GLBP | Cisco. Active/Active. AVG hands out multiple virtual MACs |
| AVG / AVF | (GLBP) Active Virtual Gateway / Active Virtual Forwarder |
| Priority | Higher wins. Default 100 (HSRP/VRRP/GLBP) |
| Preempt | Recovered higher-priority router takes Active back |
| Virtual IP | Single gateway IP that survives router failure |
| Virtual MAC | Vendor-allocated — 0000.0c.07.acXX (HSRP), 0000.5e.00.01XX (VRRP), 0007.b4... (GLBP) |
| Object tracking | Decrement priority when an uplink / route / SLA fails |
| Authentication | Always enable. MD5 minimum, SHA-256 if VRRPv3 |
| In 2026 | HSRP for Cisco-only, VRRP for mixed-vendor, GLBP rare |