How to Configure VRRP (Virtual Router Redundancy Protocol) on Cisco – Complete Configuration Guide

Last updated: 21-01-2026

What is VRRP?

VRRP (Virtual Router Redundancy Protocol) is an industry-standard protocol (RFC 5798) that provides automatic gateway failover for high availability. VRRP allows multiple routers to work together in a group, presenting themselves as a single virtual router with a virtual IP address that serves as the default gateway for hosts.

When the primary (master) router fails, a backup router automatically takes over, ensuring uninterrupted network connectivity with minimal downtime.

Key Features of VRRP

  • Industry Standard: RFC 5798 (open standard, vendor-neutral)
  • Election Process: Automatic master election based on priority
  • Virtual IP: Single virtual IP shared among group members
  • Preemption: Higher priority router can reclaim master role
  • Multicast Address: Uses 224.0.0.18 for VRRP advertisements
  • Protocol Number: IP protocol 112
  • Advertisement Interval: Default 1 second (configurable)

How VRRP Works

VRRP operates by creating a virtual router with a virtual IP address (VIP) and virtual MAC address. One router in the VRRP group becomes the Master, while others remain in Backup state.

VRRP States

  • Initialize: Router startup state, learning VRRP configuration
  • Backup: Router is ready to become Master if needed
  • Master: Router actively forwarding traffic for the virtual IP

Election Process

  1. Routers exchange VRRP advertisements containing priority values (0-255)
  2. Router with highest priority becomes Master (default priority is 100)
  3. If priorities are equal, router with highest IP address wins
  4. Master sends advertisements every 1 second (default)
  5. Backup routers listen for advertisements
  6. If Master fails (no advertisements for 3 intervals), Backup takes over

Virtual MAC Address

VRRP uses a virtual MAC address in the format: 0000.5E00.01XX where XX is the VRRP group number in hexadecimal.

Example: VRRP Group 10 = 0000.5E00.010A

Prerequisites for VRRP Configuration

  • Two or more routers/Layer 3 switches with VRRP support
  • Routers must be in the same IP subnet
  • IP connectivity between routers
  • Same VRRP group number on all participating routers
  • Virtual IP address must be in the same subnet as interface IPs
  • Cisco IOS version that supports VRRP (most modern IOS versions)

Basic VRRP Configuration

Network Topology

Scenario: Two routers providing redundant default gateway for VLAN 10

  • Virtual IP (Gateway): 192.168.10.1
  • Router 1 IP: 192.168.10.2 (Master - Priority 110)
  • Router 2 IP: 192.168.10.3 (Backup - Priority 100)
  • VRRP Group: 10

Router 1 Configuration (Master)

configure terminal
interface GigabitEthernet 0/0
 description *** VLAN 10 Gateway ***
 ip address 192.168.10.2 255.255.255.0
 vrrp 10 ip 192.168.10.1
 vrrp 10 priority 110
 vrrp 10 preempt
 no shutdown
exit

Router 2 Configuration (Backup)

configure terminal
interface GigabitEthernet 0/0
 description *** VLAN 10 Gateway Backup ***
 ip address 192.168.10.3 255.255.255.0
 vrrp 10 ip 192.168.10.1
 vrrp 10 priority 100
 vrrp 10 preempt
 no shutdown
exit

Explanation:

  • vrrp 10 ip 192.168.10.1 - Defines VRRP group 10 with virtual IP
  • vrrp 10 priority 110 - Sets priority (higher = preferred Master)
  • vrrp 10 preempt - Allows router to reclaim Master role when it recovers

Advanced VRRP Configuration Options

Configure Advertisement Interval

interface GigabitEthernet 0/0
 vrrp 10 timers advertise 3
exit

Sets advertisement interval to 3 seconds (default is 1 second)

Configure Preempt Delay

interface GigabitEthernet 0/0
 vrrp 10 preempt delay minimum 60
exit

Delays preemption for 60 seconds after router comes online (prevents flapping)

Authentication (Optional)

interface GigabitEthernet 0/0
 vrrp 10 authentication text MySecretKey
exit

Note: Plain text authentication is deprecated. Use IPsec for secure VRRP

Track Interface (Object Tracking)

configure terminal
track 1 interface GigabitEthernet 0/1 line-protocol
exit

interface GigabitEthernet 0/0
 vrrp 10 track 1 decrement 20
exit

Decrements priority by 20 if GigabitEthernet 0/1 goes down. Useful for tracking uplink connectivity.

Configure Description

interface GigabitEthernet 0/0
 vrrp 10 description Primary-Gateway-VLAN10
exit

Multiple VRRP Groups (Load Balancing)

You can configure multiple VRRP groups on the same interface to achieve load balancing by having different routers serve as Master for different VLANs.

Router 1 Configuration

configure terminal
interface GigabitEthernet 0/0.10
 description *** VLAN 10 ***
 encapsulation dot1Q 10
 ip address 192.168.10.2 255.255.255.0
 vrrp 10 ip 192.168.10.1
 vrrp 10 priority 110
 vrrp 10 preempt
exit

interface GigabitEthernet 0/0.20
 description *** VLAN 20 ***
 encapsulation dot1Q 20
 ip address 192.168.20.2 255.255.255.0
 vrrp 20 ip 192.168.20.1
 vrrp 20 priority 90
 vrrp 20 preempt
exit

Router 2 Configuration

configure terminal
interface GigabitEthernet 0/0.10
 description *** VLAN 10 ***
 encapsulation dot1Q 10
 ip address 192.168.10.3 255.255.255.0
 vrrp 10 ip 192.168.10.1
 vrrp 10 priority 90
 vrrp 10 preempt
exit

interface GigabitEthernet 0/0.20
 description *** VLAN 20 ***
 encapsulation dot1Q 20
 ip address 192.168.20.3 255.255.255.0
 vrrp 20 ip 192.168.20.1
 vrrp 20 priority 110
 vrrp 20 preempt
exit

Result: Router 1 is Master for VLAN 10, Router 2 is Master for VLAN 20, providing load distribution.

VRRP Verification Commands

Show VRRP Status

show vrrp

Displays VRRP configuration and status for all groups

Show VRRP Brief

show vrrp brief

Displays summary of VRRP groups

Show Specific VRRP Group

show vrrp interface GigabitEthernet 0/0

Shows VRRP information for specific interface

Show VRRP Statistics

show vrrp statistics

Displays VRRP packet statistics

Example Output Interpretation

GigabitEthernet0/0 - Group 10
  State is Master
  Virtual IP address is 192.168.10.1
  Virtual MAC address is 0000.5e00.010a
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 110
  Master Router is 192.168.10.2 (local), priority is 110
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec

Key Fields:

  • State: Master, Backup, or Initialize
  • Virtual IP: The shared gateway IP
  • Virtual MAC: MAC address for the virtual router
  • Priority: Current priority value
  • Master Router: IP of current Master (local or remote)

Troubleshooting VRRP

Debug VRRP

debug vrrp all
debug vrrp events
debug vrrp packets

Warning: Use debug carefully in production. Disable after troubleshooting:

no debug all
undebug all

Common Issues and Solutions

Issue 1: Both Routers Claim to be Master

Cause: No connectivity between routers, blocking multicast

Solution:

# Verify connectivity
ping 192.168.10.3 source 192.168.10.2

# Check for ACLs blocking VRRP (IP protocol 112)
show ip access-lists

# Check multicast routing
show ip mroute 224.0.0.18

Issue 2: VRRP Not Forming

Check:

show vrrp
show ip interface brief
show run interface GigabitEthernet 0/0

Common Causes:

  • Virtual IP not in same subnet as interface IP
  • Different VRRP group numbers
  • Interface down or administratively down
  • Firewall/ACL blocking VRRP packets

Issue 3: Frequent Master Changes (Flapping)

Solution:

# Increase advertisement interval
interface GigabitEthernet 0/0
 vrrp 10 timers advertise 3

# Add preempt delay
 vrrp 10 preempt delay minimum 60
exit

Issue 4: Wrong Router Becomes Master

Check priorities:

show vrrp | include Priority

Adjust priority:

interface GigabitEthernet 0/0
 vrrp 10 priority 120
exit

VRRP Best Practices

  • Enable preemption: Ensures preferred Master reclaims role after recovery
  • Use preempt delay: Prevents flapping during network instability
  • Consistent group numbers: Use same group number across all VRRP participants
  • Priority planning: Master should have priority 110+, Backup 100 or less
  • Track critical interfaces: Use object tracking for uplink monitoring
  • Document configuration: Clearly label which router should be Master
  • Test failover: Regularly test failover in maintenance windows
  • Monitor VRRP state: Use SNMP or syslog to alert on state changes
  • Avoid authentication: Use IPsec instead of weak text authentication
  • Load balancing: Use multiple VRRP groups for active-active setups
  • Subnet consistency: Ensure virtual IP is in same subnet as physical IPs

Complete Configuration Example

! Router 1 - Primary VRRP Master
hostname R1

! Configure object tracking for uplink
track 1 interface GigabitEthernet 0/1 line-protocol

! VLAN 10 Configuration
interface GigabitEthernet 0/0
 description *** LAN Interface VLAN 10 ***
 ip address 192.168.10.2 255.255.255.0
 vrrp 10 ip 192.168.10.1
 vrrp 10 description Primary-Gateway-VLAN10
 vrrp 10 priority 110
 vrrp 10 preempt
 vrrp 10 preempt delay minimum 30
 vrrp 10 track 1 decrement 20
 no shutdown
exit

! Uplink Interface
interface GigabitEthernet 0/1
 description *** Uplink to ISP ***
 ip address 203.0.113.2 255.255.255.252
 no shutdown
exit

! Save configuration
end
write memory
        
! Router 2 - Backup VRRP Router
hostname R2

! Configure object tracking for uplink
track 1 interface GigabitEthernet 0/1 line-protocol

! VLAN 10 Configuration
interface GigabitEthernet 0/0
 description *** LAN Interface VLAN 10 ***
 ip address 192.168.10.3 255.255.255.0
 vrrp 10 ip 192.168.10.1
 vrrp 10 description Backup-Gateway-VLAN10
 vrrp 10 priority 100
 vrrp 10 preempt
 vrrp 10 preempt delay minimum 30
 vrrp 10 track 1 decrement 20
 no shutdown
exit

! Uplink Interface
interface GigabitEthernet 0/1
 description *** Uplink to ISP ***
 ip address 203.0.113.6 255.255.255.252
 no shutdown
exit

! Save configuration
end
write memory

VRRP Configuration Checklist

  • ☐ Both routers have IP connectivity in same subnet
  • ☐ Same VRRP group number configured on both routers
  • ☐ Virtual IP is in same subnet as interface IPs
  • ☐ Priority set higher on preferred Master router
  • ☐ Preemption enabled on both routers
  • ☐ Preempt delay configured to prevent flapping
  • ☐ Object tracking configured for critical interfaces
  • ☐ VRRP state verified with show commands
  • ☐ Failover tested in maintenance window
  • ☐ Configuration saved on both routers

Quick Reference Command Summary

! Basic Configuration
interface GigabitEthernet 0/0
 ip address 192.168.10.2 255.255.255.0
 vrrp 10 ip 192.168.10.1
 vrrp 10 priority 110
 vrrp 10 preempt

! Advanced Options
 vrrp 10 timers advertise 3
 vrrp 10 preempt delay minimum 60
 vrrp 10 description My-Gateway
 vrrp 10 track 1 decrement 20

! Verification
show vrrp
show vrrp brief
show vrrp interface GigabitEthernet 0/0
show vrrp statistics

! Troubleshooting
debug vrrp events
debug vrrp packets
show track

Conclusion

VRRP provides robust, standards-based gateway redundancy for network high availability. As an industry-standard protocol, VRRP works across multiple vendors and provides automatic failover with minimal configuration complexity.

Proper VRRP configuration with appropriate priority settings, preemption, and object tracking ensures that your network maintains connectivity even during router failures or maintenance. By following best practices and thoroughly testing failover scenarios, you can build a resilient network infrastructure that provides seamless gateway redundancy for your users.

Remember to configure both routers identically except for priority values, test failover regularly, and monitor VRRP state changes to maintain optimal network availability.