FHRP (First Hop Redundancy Protocol) is the family of Layer 3 protocols that lets a group of routers share a virtual IP and MAC address so end hosts have a single, stable default gateway even when the underlying router fails. The three protocols in the family - HSRP (Cisco), VRRP (IETF standard), and GLBP (Cisco) - all solve the same problem with slightly different mechanics. Without FHRP, end host default gateways become single points of failure; with FHRP, the failure of a primary router becomes a sub-second event invisible to users.
This is the cluster overview for the full PingLabz FHRP series: the protocol family, HSRP, VRRP, GLBP, and the design patterns that integrate FHRP with STP, Layer 2 VLANs, and the rest of a Cisco campus design. We will work through what FHRP solves, the three protocols in the family and how they differ, the configuration patterns, real Cisco IOS XE captures from a lab, and the alignment with STP that is critical for clean failover.
What FHRP Solves
End hosts use a default gateway IP for any traffic destined outside their local subnet. Traditionally that gateway is a single router. If the router goes down, the gateway becomes unreachable, and the host has no path off the subnet. The user sees connectivity loss until DHCP renews to a new gateway (which never happens automatically) or someone reconfigures the host.
FHRP solves this by letting a group of routers share a virtual IP/MAC. The hosts use the virtual IP as their default gateway. The router currently active for that virtual IP forwards traffic; if it fails, another router takes over the virtual IP/MAC and traffic continues with sub-second interruption. The hosts never know anything changed.
The three FHRP protocols differ in details but share the architecture: a group of routers, a virtual IP and MAC, election of an active forwarder, and failover when the active fails.
The Three Protocols
| Protocol | Vendor | RFC | Default Hello | Default Hold | Active election |
|---|---|---|---|---|---|
| HSRP (v1) | Cisco | 2281 (informational) | 3 sec | 10 sec | Highest priority; tiebreak by IP |
| HSRP (v2) | Cisco | 2281 | 3 sec (sub-second tunable) | 10 sec | Same as v1 |
| VRRP (v2) | IETF standard | 3768 / 5798 | 1 sec | 3 sec | Highest priority; tiebreak by IP |
| VRRPv3 | IETF standard | 5798 | 1 sec (sub-second tunable) | 3 sec | Same as v2 + IPv6 support |
| GLBP | Cisco | None (proprietary) | 3 sec | 10 sec | AVG (Active Virtual Gateway) elects; AVFs (Active Virtual Forwarders) load-balance |
HSRP and VRRP do active/standby - one router forwards, the others wait. GLBP does active/active - multiple routers forward simultaneously, sharing the load via different virtual MAC addresses for the same virtual IP.
HSRP: Cisco's Default
HSRP (Hot Standby Router Protocol) is Cisco's proprietary FHRP and the dominant protocol in Cisco-only campuses. The version 1 group number is 0-255 (limited); version 2 supports group 0-4095 and is the modern default.
HSRP states each router walks through:
| State | Meaning |
|---|---|
| Initial | HSRP just started; not yet sending hellos |
| Learn | Waiting to learn the virtual IP from a Hello (rare; typically configured) |
| Listen | Heard from active and standby; not active or standby itself |
| Speak | Sending hellos; participating in active/standby election |
| Standby | Backup; will take over if active fails |
| Active | Currently forwarding traffic for the virtual IP |
Healthy steady state: one active, one standby, others in listen. Configuration is interface-level: a group number, a virtual IP, an optional priority, and preemption so the higher-priority router reclaims active state after a reboot.
! R1 - intended active gateway
interface Ethernet0/0
ip address 10.20.0.1 255.255.255.0
standby version 2
standby 10 ip 10.20.0.254
standby 10 priority 110
standby 10 preempt
standby 10 name HSRP-PROD
!
! R2 - intended standby (default priority 100, no preempt)
interface Ethernet0/0
ip address 10.20.0.2 255.255.255.0
standby version 2
standby 10 ip 10.20.0.254
standby 10 name HSRP-PRODOn R1 with the priority + preempt configuration above, HSRP comes up Active. The full state shows the v2 virtual MAC, the standby's identity, hello/hold timers, and the configured priority:
R1# show standby
Ethernet0/0 - Group 10 (version 2)
State is Active
2 state changes, last state change 00:01:06
Virtual IP address is 10.20.0.254
Active virtual MAC address is 0000.0c9f.f00a (MAC In Use)
Local virtual MAC address is 0000.0c9f.f00a (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.040 secs
Preemption enabled
Active router is local
Standby router is 10.20.0.2, priority 100 (expires in 9.504 sec)
Priority 110 (configured 110)
Group name is "HSRP-PROD" (cfgd)
FLAGS: 1/1Two details worth noting. The Active virtual MAC is 0000.0c9f.f00a, not the burned-in MAC of R1's Ethernet0/0. End hosts ARP for 10.20.0.254 and get this MAC, which means R2 can take over without any host needing to re-ARP. And the v2 MAC format is 0000.0c9f.fXXX, not the v1 0000.0c07.acXX; group 10 ends up as ...f00a because 10 in hex is 0a.
For the full configuration walkthrough including priority manipulation, interface tracking, and authentication, see HSRP High Availability: Configure Cisco HSRP Step-by-Step.
VRRP: The Open Standard
VRRP (Virtual Router Redundancy Protocol) is the IETF standard. RFC 5798 defines VRRPv3 for both IPv4 and IPv6. Functionally similar to HSRP with a few differences:
- Master/Backup terminology (instead of Active/Standby)
- Default master is the router whose interface IP matches the virtual IP (a feature that can simplify designs but causes confusion when not understood)
- Faster default timers (1-second Hello, 3-second hold)
- Vendor-neutral - works between Cisco, Juniper, Arista, Nokia, etc.
The classic VRRPv2 configuration on Cisco IOS XE looks almost identical to HSRP at the interface level:
! Global - force classic VRRPv2 syntax (defaults to v3 on IOS XE 17.x)
fhrp version vrrp v2
!
! R1
interface Ethernet0/0
vrrp 20 ip 10.20.0.253
vrrp 20 priority 110
vrrp 20 description VRRP-PROD
!
! R2
interface Ethernet0/0
vrrp 20 ip 10.20.0.253
vrrp 20 priority 100
vrrp 20 description VRRP-PRODR1 wins the Master election and starts answering ARP for the virtual IP with the VRRP-style virtual MAC:
R1# show vrrp
Ethernet0/0 - Group 20
VRRP-PROD
State is Master
Virtual IP address is 10.20.0.253
Virtual MAC address is 0000.5e00.0114
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 110
Master Router is 10.20.0.1 (local), priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.570 sec
FLAGS: 1/1Notice the virtual MAC format: 0000.5e00.0114. The 0000.5e00.01XX prefix is reserved by IANA for VRRP, and 14 is the hex of the group number (20). The 1-second advertisement interval and 3-second Master Down interval also show through - VRRP fails over faster than HSRP by default.
For the full walkthrough including VRRPv3 syntax and IPv6, see VRRP Explained.
GLBP: Active/Active Load Balancing
GLBP (Gateway Load Balancing Protocol) is Cisco-proprietary and unique among FHRPs in that it actively load-balances across multiple routers. One router is the AVG (Active Virtual Gateway) which manages the protocol; up to four AVFs (Active Virtual Forwarders) actually forward traffic, each with its own virtual MAC.
How it works: end hosts ARP for the virtual IP. The AVG responds with one of four virtual MACs, rotating across hosts. Each virtual MAC is owned by a different AVF, so different hosts naturally use different routers. Failover is per-AVF; if one AVF dies, the AVG redirects its virtual MAC to another AVF.
The benefit: utilization across redundant routers instead of one router idle as standby. The cost: more complex troubleshooting and Cisco-only.
Configuration is similar to HSRP but with the glbp keyword:
! R1 - intended AVG
interface Ethernet0/0
glbp 30 ip 10.20.0.252
glbp 30 priority 110
glbp 30 preempt
glbp 30 name GLBP-PROD
!
! R2 - secondary AVF (default priority, no preempt)
interface Ethernet0/0
glbp 30 ip 10.20.0.252
glbp 30 name GLBP-PRODWhat separates GLBP from HSRP and VRRP shows up clearly in show glbp brief. Where the other two protocols show one row per group, GLBP shows the AVG row plus one row per forwarder:
R1# show glbp brief
Interface Grp Fwd Pri State Address Active router Standby router
Et0/0 30 - 110 Active 10.20.0.252 local 10.20.0.2
Et0/0 30 1 - Active 0007.b400.1e01 local -
Et0/0 30 2 - Listen 0007.b400.1e02 10.20.0.2 -R1 is both the AVG (top row) and the AVF for Forwarder 1 (MAC 0007.b400.1e01). Forwarder 2 (0007.b400.1e02) is owned by R2, which is why R1 shows it as Listen. From R2's perspective the same group looks inverted:
R2# show glbp brief
Interface Grp Fwd Pri State Address Active router Standby router
Et0/0 30 - 100 Standby 10.20.0.252 10.20.0.1 local
Et0/0 30 1 - Listen 0007.b400.1e01 10.20.0.1 -
Et0/0 30 2 - Active 0007.b400.1e02 local -R2 is the AVG Standby (it will take over the AVG role if R1 dies), but R2 is simultaneously the active AVF for Forwarder 2. Both routers are forwarding traffic at the same time, just for different hosts. The GLBP MAC format is 0007.b400.XXYY where XX is the group in hex (1e = 30) and YY is the forwarder number.
For the full walkthrough including weighting, load-balancing algorithms, and AVF priority, see GLBP for Active/Active Load Balancing.
FHRP Design with STP and VLANs
FHRP does not exist in isolation. In typical campus designs the active FHRP gateway should align with the STP root bridge, otherwise traffic from access switches takes a suboptimal path through the network: up to one distribution switch, across the inter-distribution trunk to the other, down to the actual gateway.
The pattern: per-VLAN, set the same router to be both the STP root bridge and the FHRP active gateway. For VLAN load balancing, alternate which distribution switch is root and active for each VLAN. With Rapid PVST+ this is straightforward; with MST it requires alignment of MST instances to FHRP groups.
Detail in Spanning Tree and First-Hop Redundancy: Aligning STP with HSRP/VRRP in the STP cluster.
Verification: Proving the Virtual MAC
The single most important thing to internalize about FHRP is that the virtual IP is an L2 abstraction, not an L3 route. The active router answers ARP for the virtual IP with a virtual MAC; it does not install the virtual IP as a /32 in the routing table. The show ip route output on R1 (the HSRP/VRRP/GLBP active for all three groups) makes this obvious:
R1# show ip route
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.20.0.0/24 is directly connected, Ethernet0/0
L 10.20.0.1/32 is directly connected, Ethernet0/0
C 10.255.0.1/32 is directly connected, Loopback0None of 10.20.0.252, 10.20.0.253, or 10.20.0.254 appear. The router knows the subnet they live in but does not own them as routed addresses. They are pure ARP destinations.
From the perspective of any host on the LAN that has ARPed for all three virtual IPs, the three protocols announce three different virtual MAC ranges. R2 in this lab has pinged each virtual IP once, so its ARP table holds the full picture:
R2# show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.20.0.1 3 aabb.cc00.0b00 ARPA Ethernet0/0
Internet 10.20.0.2 - aabb.cc00.0c00 ARPA Ethernet0/0
Internet 10.20.0.252 - 0007.b400.1e02 ARPA Ethernet0/0
Internet 10.20.0.253 0 0000.5e00.0114 ARPA Ethernet0/0
Internet 10.20.0.254 0 0000.0c9f.f00a ARPA Ethernet0/0Three virtual IPs, three different vendor prefixes. 0000.0c9f.fXXX for HSRPv2 (Cisco OUI 0000.0c meets the HSRP-specific 9f.f body). 0000.5e00.01XX for VRRP (an IANA-assigned range). 0007.b400.XXYY for GLBP (Cisco again, but a different sub-range, with the forwarder number baked into the last byte). None of these MAC addresses belongs to a physical interface on either router. When R1 fails, R2 starts answering ARP for the same virtual IPs with the same virtual MACs, and traffic continues. End hosts never re-ARP.
This is also why FHRPs work over arbitrary L2 topologies (a single switch, a stack, a VSS, a vPC, or a long L2 stretch) without help from the routing protocol. The protocol that makes the world resilient at the first hop is, mechanically, a small ARP trick.
HSRP vs VRRP vs GLBP
| Trait | HSRP | VRRP | GLBP |
|---|---|---|---|
| Vendor | Cisco | Open standard | Cisco |
| Active routers | 1 (others standby) | 1 (others backup) | Up to 4 (AVG + 3 AVFs) |
| Load balancing | Per-VLAN (different active per VLAN) | Per-VLAN | Per-host (within VLAN) |
| Default hello | 3 seconds | 1 second | 3 seconds |
| Multicast address | 224.0.0.2 (v1) / 224.0.0.102 (v2) | 224.0.0.18 | 224.0.0.102 |
| Virtual MAC range | 0000.0c07.acXX (v1) / 0000.0c9f.fXXX (v2) | 0000.5e00.01XX | 0007.b400.XXYY |
| Authentication | MD5, plain text | None (v3); plain text/MD5 (v2) | MD5, plain text |
| Use case | Cisco-only campus default | Multi-vendor environments | Cisco shops wanting load balancing without per-VLAN role assignment |
The three brief summaries side by side on R1 make the differences land. Same interface, three different protocols, three different group numbers:
R1# show standby brief
Interface Grp Pri P State Active Standby Virtual IP
Et0/0 10 110 P Active local 10.20.0.2 10.20.0.254
R1# show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Et0/0 20 110 3570 Y Master 10.20.0.1 10.20.0.253
R1# show glbp brief
Interface Grp Fwd Pri State Address Active router Standby router
Et0/0 30 - 110 Active 10.20.0.252 local 10.20.0.2
Et0/0 30 1 - Active 0007.b400.1e01 local -
Et0/0 30 2 - Listen 0007.b400.1e02 10.20.0.2 -HSRP and VRRP show one row per group (one active forwarder). GLBP shows three: the AVG row plus one row per AVF. That extra structure is the entire point of GLBP - traffic from a single LAN can be load-balanced across two routers without splitting VLANs.
For the full comparison see HSRP vs VRRP vs GLBP.
FHRP Deep Dives in This Cluster
- HSRP High Availability: Configure Cisco HSRP Step-by-Step
- VRRP Explained: The Vendor-Neutral FHRP
- GLBP for Active/Active Load Balancing
- HSRP vs VRRP vs GLBP: Choosing the Right FHRP
- Spanning Tree and First-Hop Redundancy: Aligning STP with HSRP/VRRP
FAQ
What does FHRP stand for?
FHRP stands for First Hop Redundancy Protocol. It refers to the family of protocols (HSRP, VRRP, GLBP) that provide gateway redundancy for end hosts.
What is the difference between HSRP and VRRP?
Functionally similar. HSRP is Cisco-proprietary; VRRP is the IETF standard. HSRP has slightly slower default timers (3-second Hello vs 1-second); VRRP has slightly faster failover. In a Cisco-only environment, HSRP is the dominant choice; in mixed-vendor, VRRP is required.
What makes GLBP different from HSRP and VRRP?
HSRP and VRRP have one active router per group, with others on standby. GLBP has up to four active forwarders simultaneously, each with its own virtual MAC. ARP responses from the AVG distribute hosts across the AVFs, providing per-host load balancing without per-VLAN role tuning.
What is HSRP priority and how does it work?
HSRP priority is a 0-255 value (default 100). Higher priority wins the active election. With preemption enabled, a higher-priority router that comes up will take over from a lower-priority active. Track interface state to lower priority when uplinks fail, so the standby takes over.
What is the virtual MAC for HSRP?
HSRPv1 uses 0000.0c07.acXX where XX is the group number in hex. HSRPv2 uses 0000.0c9f.fXXX where XXX is the 12-bit group in hex (since v2 supports groups 0-4095, which need 3 hex digits). End hosts ARP for the virtual IP and receive this MAC; they use it as the destination for all upstream traffic. Group 10 under v2, for example, resolves to 0000.0c9f.f00a.
Hands-on FHRP - HSRP, VRRP, and GLBP labs
Configure all three first-hop redundancy protocols on real Cisco IOS XE routers. Virtual MAC formats, priority manipulation, preemption, and GLBP active-active load balancing. Part of the 14-lab CCNA IP Connectivity cluster. Open the PingLabz CCNA Labs library.
Key Takeaways
FHRP is mandatory for any production network where users care about gateway uptime. Pick HSRP for Cisco-only environments, VRRP for multi-vendor, GLBP when you want active/active load balancing without per-VLAN tuning. Whichever you pick, align the active gateway with the STP root bridge per VLAN to avoid suboptimal traffic paths, and remember that the virtual IP is an ARP trick rather than a routing-table entry - which is why FHRP failover is sub-second and host-invisible. Bookmark this page, work through the cluster articles in order, and lab every failover.