Gateway Redundancy Protocols – Complete Guide to HSRP, VRRP, and GLBP with Configuration Examples
What are Gateway Redundancy Protocols?
Gateway Redundancy Protocols (also called First Hop Redundancy Protocols or FHRP) provide automatic failover of the default gateway in a network. When the primary gateway fails, a backup gateway automatically takes over, ensuring uninterrupted network connectivity with minimal downtime.
Without gateway redundancy, if the default gateway router fails, all hosts lose their Internet and inter-VLAN connectivity until the router is restored or hosts are manually reconfigured to use a different gateway.
Why Use Gateway Redundancy?
- High Availability: Eliminates single point of failure for default gateway
- Automatic Failover: No manual intervention required during failures
- Seamless Transition: Users experience minimal or no downtime
- Load Balancing: Some protocols support traffic distribution (GLBP)
- Business Continuity: Critical for production environments
Three Main Gateway Redundancy Protocols
1. HSRP (Hot Standby Router Protocol)
- Vendor: Cisco Proprietary
- Standard: RFC 2281 (informational only)
- Version: HSRPv1 and HSRPv2
- Virtual MAC: 0000.0C07.ACXX (v1), 0000.0C9F.FXXX (v2)
- Multicast: 224.0.0.2 (v1), 224.0.0.102 (v2)
- Hello Time: 3 seconds (default)
- Hold Time: 10 seconds (default)
- Active Routers: One Active, one or more Standby
2. VRRP (Virtual Router Redundancy Protocol)
- Vendor: Industry Standard (RFC 5798)
- Standard: Open standard, vendor-neutral
- Virtual MAC: 0000.5E00.01XX
- Multicast: 224.0.0.18
- Hello Time: 1 second (default)
- Protocol: IP protocol 112
- Active Routers: One Master, others Backup
3. GLBP (Gateway Load Balancing Protocol)
- Vendor: Cisco Proprietary
- Standard: No RFC
- Virtual MAC: 0007.B400.XXYY
- Multicast: 224.0.0.102
- Hello Time: 3 seconds (default)
- Hold Time: 10 seconds (default)
- Active Routers: Up to 4 Active Virtual Forwarders (AVF)
- Load Balancing: Yes (unique feature)
Protocol Comparison
Prerequisites for Gateway Redundancy Protocols
- Two or more routers or Layer 3 switches
- Routers must be in the same IP subnet
- IP connectivity between routers
- Same protocol configured on all participating routers
- Same group number on all routers (for HSRP/GLBP)
- Virtual IP must be in same subnet as interface IPs
- For HSRP/GLBP: Cisco IOS that supports the protocol
- For VRRP: Any vendor supporting RFC 5798
HSRP (Hot Standby Router Protocol)
How HSRP Works
HSRP creates a virtual router with a virtual IP address and virtual MAC address. One router becomes the Active router, one becomes the Standby router, and others remain in Listen state.
HSRP States
- Initial: Router starts, HSRP not yet configured or enabled
- Learn: Router waits to hear from Active router
- Listen: Router knows virtual IP, listens for hellos
- Speak: Router sends hello messages, participating in election
- Standby: Router is ready to become Active
- Active: Router forwards traffic for virtual IP
HSRP Version Differences
- HSRPv1: Group numbers 0-255, IPv4 only
- HSRPv2: Group numbers 0-4095, supports IPv6, improved timers
Basic HSRP Configuration
Scenario
- Virtual IP (Gateway): 192.168.10.1
- Router 1 IP: 192.168.10.2 (Active - Priority 110)
- Router 2 IP: 192.168.10.3 (Standby - Priority 100)
- HSRP Group: 10
configure terminal
interface GigabitEthernet 0/0
description *** VLAN 10 Gateway ***
ip address 192.168.10.2 255.255.255.0
standby version 2
standby 10 ip 192.168.10.1
standby 10 priority 110
standby 10 preempt
no shutdown
exit
end
write memory
configure terminal
interface GigabitEthernet 0/0
description *** VLAN 10 Gateway Backup ***
ip address 192.168.10.3 255.255.255.0
standby version 2
standby 10 ip 192.168.10.1
standby 10 priority 100
standby 10 preempt
no shutdown
exit
end
write memory
Advanced HSRP Configuration
Interface Tracking
interface GigabitEthernet 0/0 standby 10 track GigabitEthernet 0/1 20 exit
Decrements priority by 20 if Gi0/1 goes down
Timer Configuration
interface GigabitEthernet 0/0 standby 10 timers 1 3 exit
Hello time: 1 second, Hold time: 3 seconds
Authentication
interface GigabitEthernet 0/0 standby 10 authentication md5 key-string MySecretKey exit
Preempt Delay
interface GigabitEthernet 0/0 standby 10 preempt delay minimum 60 exit
HSRP Verification
show standby show standby brief show standby GigabitEthernet 0/0
VRRP (Virtual Router Redundancy Protocol)
How VRRP Works
VRRP is an industry-standard protocol that creates a virtual router. One router becomes the Master, while others remain in Backup state.
VRRP States
- Initialize: Router startup, learning configuration
- Backup: Router monitors Master, ready to take over
- Master: Router actively forwarding traffic
Basic VRRP Configuration
Scenario
- Virtual IP (Gateway): 192.168.10.1
- Router 1 IP: 192.168.10.2 (Master - Priority 110)
- Router 2 IP: 192.168.10.3 (Backup - Priority 100)
- VRRP Group: 10
configure terminal
interface GigabitEthernet 0/0
description *** VLAN 10 Gateway ***
ip address 192.168.10.2 255.255.255.0
vrrp 10 ip 192.168.10.1
vrrp 10 priority 110
vrrp 10 preempt
no shutdown
exit
end
write memory
configure terminal
interface GigabitEthernet 0/0
description *** VLAN 10 Gateway Backup ***
ip address 192.168.10.3 255.255.255.0
vrrp 10 ip 192.168.10.1
vrrp 10 priority 100
vrrp 10 preempt
no shutdown
exit
end
write memory
Advanced VRRP Configuration
Object Tracking
track 1 interface GigabitEthernet 0/1 line-protocol interface GigabitEthernet 0/0 vrrp 10 track 1 decrement 20 exit
Timer Configuration
interface GigabitEthernet 0/0 vrrp 10 timers advertise 3 exit
Preempt Delay
interface GigabitEthernet 0/0 vrrp 10 preempt delay minimum 60 exit
VRRP Verification
show vrrp show vrrp brief show vrrp interface GigabitEthernet 0/0
GLBP (Gateway Load Balancing Protocol)
How GLBP Works
GLBP is unique because it provides both redundancy and load balancing. Unlike HSRP and VRRP where only one router forwards traffic, GLBP allows up to 4 routers to simultaneously forward traffic.
GLBP Terminology
- AVG (Active Virtual Gateway): Elected router that assigns virtual MAC addresses
- AVF (Active Virtual Forwarder): Router actively forwarding traffic (up to 4)
- Virtual MAC: Each AVF gets a unique virtual MAC address
GLBP Load Balancing Methods
- Round-robin: Default, distributes load equally
- Weighted: Based on configured weight values
- Host-dependent: Same host always uses same gateway
Basic GLBP Configuration
Scenario
- Virtual IP (Gateway): 192.168.10.1
- Router 1 IP: 192.168.10.2 (Priority 110)
- Router 2 IP: 192.168.10.3 (Priority 100)
- GLBP Group: 10
configure terminal
interface GigabitEthernet 0/0
description *** VLAN 10 Gateway ***
ip address 192.168.10.2 255.255.255.0
glbp 10 ip 192.168.10.1
glbp 10 priority 110
glbp 10 preempt
glbp 10 load-balancing round-robin
no shutdown
exit
end
write memory
configure terminal
interface GigabitEthernet 0/0
description *** VLAN 10 Gateway ***
ip address 192.168.10.3 255.255.255.0
glbp 10 ip 192.168.10.1
glbp 10 priority 100
glbp 10 preempt
glbp 10 load-balancing round-robin
no shutdown
exit
end
write memory
Advanced GLBP Configuration
Weighted Load Balancing
interface GigabitEthernet 0/0 glbp 10 weighting 150 glbp 10 load-balancing weighted exit
Interface Tracking
interface GigabitEthernet 0/0 glbp 10 weighting track 1 decrement 20 exit track 1 interface GigabitEthernet 0/1 line-protocol
Timer Configuration
interface GigabitEthernet 0/0 glbp 10 timers 3 10 exit
Hello: 3 seconds, Hold: 10 seconds
Preempt Delay
interface GigabitEthernet 0/0 glbp 10 preempt delay minimum 60 exit
GLBP Verification
show glbp show glbp brief show glbp GigabitEthernet 0/0
Complete Configuration Examples
Dual-VLAN HSRP Configuration (Load Distribution)
Configure HSRP so Router 1 is Active for VLAN 10 and Router 2 is Active for VLAN 20, providing load distribution.
! Router 1 - Active for VLAN 10, Standby for VLAN 20
configure terminal
interface GigabitEthernet 0/0.10
description *** VLAN 10 ***
encapsulation dot1Q 10
ip address 192.168.10.2 255.255.255.0
standby version 2
standby 10 ip 192.168.10.1
standby 10 priority 110
standby 10 preempt
exit
interface GigabitEthernet 0/0.20
description *** VLAN 20 ***
encapsulation dot1Q 20
ip address 192.168.20.2 255.255.255.0
standby version 2
standby 20 ip 192.168.20.1
standby 20 priority 90
standby 20 preempt
exit
end
write memory
! Router 2 - Standby for VLAN 10, Active for VLAN 20
configure terminal
interface GigabitEthernet 0/0.10
description *** VLAN 10 ***
encapsulation dot1Q 10
ip address 192.168.10.3 255.255.255.0
standby version 2
standby 10 ip 192.168.10.1
standby 10 priority 90
standby 10 preempt
exit
interface GigabitEthernet 0/0.20
description *** VLAN 20 ***
encapsulation dot1Q 20
ip address 192.168.20.3 255.255.255.0
standby version 2
standby 20 ip 192.168.20.1
standby 20 priority 110
standby 20 preempt
exit
end
write memory
Troubleshooting Gateway Redundancy Protocols
HSRP Troubleshooting
! Verify HSRP status show standby show standby brief ! Check for mismatches show standby | include Group show standby | include Priority ! Debug HSRP debug standby debug standby events debug standby packets ! Stop debug undebug all
VRRP Troubleshooting
! Verify VRRP status show vrrp show vrrp brief ! Debug VRRP debug vrrp events debug vrrp packets ! Stop debug undebug all
GLBP Troubleshooting
! Verify GLBP status show glbp show glbp brief ! Debug GLBP debug glbp events debug glbp packets ! Stop debug undebug all
Common Issues
Issue 1: Both Routers Claim Active/Master Role
Cause: No connectivity between routers or multicast blocked
Solution:
! Verify IP connectivity ping 192.168.10.3 source 192.168.10.2 ! Check for ACLs blocking multicast show ip access-lists ! Verify interfaces show ip interface brief
Issue 2: Wrong Router is Active/Master
Check priorities:
show standby | include Priority show vrrp | include Priority show glbp | include Priority
Issue 3: Frequent State Changes (Flapping)
Solutions:
! Increase timers standby 10 timers 5 15 ! Add preempt delay standby 10 preempt delay minimum 60
Best Practices
- Use VRRP for multi-vendor: Industry standard, works everywhere
- Use GLBP for load balancing: Only protocol supporting active-active
- Use HSRP for Cisco-only: Well established, widely deployed
- Enable preemption: Ensures preferred router reclaims role
- Use preempt delay: Prevents flapping (60+ seconds recommended)
- Configure tracking: Monitor uplink interfaces for failures
- Use authentication: MD5 authentication recommended
- Document priorities: Clearly define which router should be primary
- Test failover: Regularly test in maintenance windows
- Monitor state changes: Set up SNMP/syslog alerts
- Plan priority values: Active/Master should be 110+, Standby/Backup 100 or less
- Use consistent group numbers: Keep group numbers organized and documented
When to Use Which Protocol
Use HSRP When:
- All devices are Cisco equipment
- Active/Standby model is sufficient
- Simple configuration required
- Well-established protocol with extensive documentation needed
- Support team familiar with HSRP
Use VRRP When:
- Multi-vendor environment
- Industry standard protocol required
- Compliance requires open standards
- Maximum portability needed
- Working with non-Cisco equipment
Use GLBP When:
- Load balancing across gateways needed
- All devices are Cisco equipment
- Maximum bandwidth utilization required
- Four or fewer routers in redundancy group
- Active-active gateway design preferred
Quick Reference Command Summary
HSRP Commands
! Configuration interface GigabitEthernet 0/0 standby version 2 standby 10 ip 192.168.10.1 standby 10 priority 110 standby 10 preempt standby 10 preempt delay minimum 60 standby 10 track GigabitEthernet 0/1 20 standby 10 authentication md5 key-string MyKey ! Verification show standby show standby brief show standby GigabitEthernet 0/0 ! Debug debug standby events undebug all
VRRP Commands
! Configuration interface GigabitEthernet 0/0 vrrp 10 ip 192.168.10.1 vrrp 10 priority 110 vrrp 10 preempt vrrp 10 preempt delay minimum 60 vrrp 10 track 1 decrement 20 vrrp 10 timers advertise 3 track 1 interface GigabitEthernet 0/1 line-protocol ! Verification show vrrp show vrrp brief show vrrp interface GigabitEthernet 0/0 ! Debug debug vrrp events undebug all
GLBP Commands
! Configuration interface GigabitEthernet 0/0 glbp 10 ip 192.168.10.1 glbp 10 priority 110 glbp 10 preempt glbp 10 preempt delay minimum 60 glbp 10 load-balancing round-robin glbp 10 weighting 150 glbp 10 weighting track 1 decrement 20 track 1 interface GigabitEthernet 0/1 line-protocol ! Verification show glbp show glbp brief show glbp GigabitEthernet 0/0 ! Debug debug glbp events undebug all
Configuration Checklist
- ☐ Both routers have IP connectivity in same subnet
- ☐ Same protocol (HSRP/VRRP/GLBP) configured on both routers
- ☐ Same group number configured on both routers
- ☐ Virtual IP is in same subnet as interface IPs
- ☐ Priority set higher on preferred primary router
- ☐ Preemption enabled on both routers
- ☐ Preempt delay configured (60+ seconds recommended)
- ☐ Interface tracking configured for critical links
- ☐ Authentication configured (optional but recommended)
- ☐ Protocol state verified with show commands
- ☐ Failover tested in maintenance window
- ☐ Configuration saved on both routers
- ☐ Monitoring/alerting configured for state changes
Conclusion
Gateway redundancy protocols (HSRP, VRRP, GLBP) are essential for building highly available networks. Each protocol serves specific use cases: HSRP for Cisco-only environments, VRRP for multi-vendor deployments, and GLBP when load balancing is required.
Proper configuration with appropriate priority settings, preemption with delay, and interface tracking ensures seamless failover with minimal downtime. VRRP is generally recommended for new deployments due to its industry-standard nature and multi-vendor support, while GLBP provides unique load-balancing capabilities unavailable in other protocols.
Remember that these protocols provide redundancy at Layer 3 (gateway level) and should be combined with other redundancy mechanisms at Layer 2 (such as EtherChannel) and Layer 1 (diverse physical paths) for comprehensive network resilience. Regular testing of failover scenarios and monitoring of protocol state changes are critical for maintaining optimal network availability.
Whether deploying HSRP, VRRP, or GLBP, following best practices—including enabling preemption with delay, configuring interface tracking, using authentication, and thoroughly testing failover—ensures your network provides the high availability that modern business applications demand.