First-hop redundancy protocols (list all 3 in order)

The first-hop redundancy protocols are: HSRP, VRRP, GLBP.

Definition of default gateway

A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.

A virtual IP is an IP address shared by a group of routers running an FHRP. Hosts use it as their default gateway, while one router at a time owns and answers for it.

A virtual MAC address is a MAC shared by an FHRP group. The active/master router uses it in ARP replies so frames sent to the gateway can transparently move between routers.

HSRP: Active vs Standby

In HSRP, the Active router forwards traffic for the virtual IP and MAC. The Standby router monitors hellos and takes over the virtual addresses if the Active fails.

Switched Virtual Interface, a virtual Layer 3 interface on a switch, commonly used as the default gateway for a VLAN.

Gateway Load Balancing Protocol, a Cisco-proprietary first-hop redundancy protocol that provides both redundancy and load balancing across multiple routers.

Hot Standby Router Protocol, a Cisco-proprietary first-hop redundancy protocol with Active and Standby roles that share a virtual IP and MAC address.

First-Hop Redundancy and Resilient Default Gateways — CCNA 200-301 Deep-Dive Masterclass: From Network Fundamentals to Automation

Q: You configured HSRP group 5 on two switches for VLAN 50. On SW1, `show standby brief` shows state Active for group 5 with VIP 10.50.50.254. On SW2, `show standby brief` shows state Listen for group 15 with VIP 10.50.50.254. Hosts in VLAN 50 cannot reach remote networks. What is the MOST likely cause?

The HSRP group number does not match on the two switches. For routers to participate in the same HSRP group, they must use the same group number and VIP on the same interface/subnet. SW1 is using group 5 while SW2 is using group 15, so they form separate logical groups. SW1 is the only active router, but if SW1's path to the hosts is broken, there is no functioning standby. Matching the group numbers on both switches is required. The other options describe possible issues, but the command output directly reveals the mismatched group number.

Why First-Hop Redundancy Matters

Single Gateway = Single Point of Failure

In a VLAN, all hosts use one default gateway. If that router interface fails, hosts instantly lose access to all remote networks, even if the rest of the network is fine.

Idea of First-Hop Redundancy

First-hop redundancy protocols let several routers cooperate to present a single virtual default gateway (one IP and MAC) so hosts stay online even if one router dies.

Protocols You Must Know

For CCNA you must know the three first-hop redundancy protocols: HSRP, VRRP, and GLBP. All use virtual IP and MAC addresses to provide gateway resiliency.

Where This Fits in Your Skills

You already know VLANs, inter-VLAN routing, and OSPFv2. First-hop redundancy adds high availability to those VLAN gateway interfaces so the campus stays reachable.

Virtual IP and Virtual MAC: The Illusion of a Single Gateway

Virtual IP (VIP)

A virtual IP is shared by multiple routers. Hosts set this VIP as their default gateway, so they never point at a specific physical router address.

Virtual MAC

A virtual MAC is also shared. The active router answers ARP for the VIP using this MAC, so hosts send frames to a MAC that can move between routers.

Roles: Active and Standby

One router is active/master and forwards traffic. Others are standby/backup. If the active fails, a standby takes over the same VIP and virtual MAC.

Why It Feels Seamless

Because the MAC and IP seen by hosts stay the same, hosts keep using their existing ARP entry. Their traffic is silently handled by a new router after failover.

Meet the FHRP Family: HSRP, VRRP, GLBP

Common Purpose

The first-hop redundancy protocols HSRP, VRRP, and GLBP all provide a resilient default gateway using a shared virtual IP and MAC address.

HSRP Basics

HSRP is Cisco-proprietary. One router is active, others are standby. It uses a group number and virtual IP per VLAN with tunable hello/hold timers.

VRRP Basics

VRRP is an open standard. One router is master, others are backup. Often the master’s real IP is also the virtual IP; behavior is similar to HSRP.

GLBP Basics

GLBP is Cisco-proprietary and supports both redundancy and load balancing. Multiple routers can forward at once using different virtual MAC addresses.

Designing a Resilient Default Gateway for a VLAN

Non-Redundant Design

Two L3 switches: DSW1 (192.168.10.1) and DSW2 (192.168.10.2). Hosts use 192.168.10.1 as default gateway. If DSW1 fails, VLAN 10 loses remote connectivity.

Adding a Virtual Gateway

Keep real IPs on each switch, but create a VIP 192.168.10.254 using HSRP/VRRP. All hosts set this VIP as their default gateway address.

Failover Behavior

One switch is active/master and owns the VIP and virtual MAC. On failure, the standby/backup takes over those virtual addresses and starts forwarding.

Host Perspective

Hosts keep using 192.168.10.254 and the same MAC in ARP. They are unaware that the physical device behind the virtual gateway has changed.

HSRP Fundamentals and Configuration Workflow

HSRP on Cisco IOS

HSRP is configured per interface, usually an SVI. It groups routers into a standby group that shares a virtual IP and virtual MAC for a VLAN gateway.

Key Config Elements

You must set: group number, virtual IP, optional priority, and optional preempt. Higher priority becomes active; preempt lets it take over when it returns.

Optional Enhancements

You can also tune hello/hold timers and configure tracking so HSRP can fail over when a critical interface or object goes down.

CCNA Expectations

For CCNA, be able to configure a basic two-router HSRP group and verify it with `show standby`, interpreting which router is active and which is standby.

Hands-On: Basic HSRP and VRRP Config for a VLAN Gateway

Compare side-by-side configurations for HSRP and VRRP on two Layer 3 switches acting as VLAN 10 gateways.

Verifying and Interpreting FHRP Status

Verification Commands

Use `show standby` / `show standby brief` for HSRP and `show vrrp` / `show vrrp brief` for VRRP to see group state, VIP, priority, and active/master router.

HSRP Status Fields

Look at State (Active/Standby), Virtual IP, Active router, Standby router, Priority, and whether preemption is enabled as expected.

VRRP Status Fields

For VRRP, check State (Master/Backup), Virtual IP, Master router, and priority values to ensure the right device is master.

End-to-End Testing

Ping the VIP from hosts and routers, inspect host ARP entries, and simulate failure (shut SVI/uplink) to confirm the standby/backup takes over correctly.

Thought Exercise: Mapping Traffic Flow During Failover

Work through this mental simulation to solidify how virtual IP and MAC addresses behave during normal operation and failover.

Scenario:

Two switches, SW1 and SW2, run HSRP group 20 for VLAN 20.
VIP: 10.20.20.254, virtual MAC: 0000.0c07.ac14 (example HSRP MAC for group 20).
SW1 is active (priority 120, preempt enabled); SW2 is standby (priority 100).
Host H1 has IP 10.20.20.10 and default gateway 10.20.20.254.

Step through these questions in your head (or jot answers):

Normal operation: When H1 pings 8.8.8.8, which MAC address does it use as the destination in the Ethernet frame? Which physical switch actually receives and forwards the frame?

SW1 failure: SW1 suddenly loses power.

What happens to HSRP hellos on SW2?
After the hold timer expires, which router now owns the VIP and virtual MAC?
Does H1 immediately send a new ARP request? Why or why not?

SW1 returns: SW1 powers back on.

With preempt enabled on SW1, what eventually happens to the active role?
Does H1 need to change its default gateway IP or MAC at any point in this whole process?

Reflect on your answers, then compare to the summary in your notes: the key is that the virtual MAC and IP remain constant from the host’s point of view, even as different physical routers take turns owning them.

Quiz 1: Core Concepts of FHRP

Answer this question to check your understanding of first-hop redundancy basics.

What is the main purpose of the first-hop redundancy protocols HSRP, VRRP, and GLBP in a campus network?

To dynamically assign IP addresses to hosts in a VLAN
To provide a resilient default gateway using a shared virtual IP and MAC address
To calculate the best path between routers using link-state information
To prevent Layer 2 loops by blocking redundant switch ports

Show Answer

Answer: B) To provide a resilient default gateway using a shared virtual IP and MAC address

HSRP, VRRP, and GLBP are first-hop redundancy protocols whose common purpose is to provide a resilient default gateway. They do this by sharing a virtual IP and virtual MAC among multiple routers, so hosts always have a working gateway even if one router fails. DHCP handles dynamic IP assignment, OSPFv2 handles link-state routing, and Spanning Tree Protocol prevents Layer 2 loops.

Quiz 2: Configuration and Troubleshooting

Test your ability to spot and reason about FHRP configuration issues.

You configured HSRP group 5 on two switches for VLAN 50. On SW1, `show standby brief` shows state Active for group 5 with VIP 10.50.50.254. On SW2, `show standby brief` shows state Listen for group 15 with VIP 10.50.50.254. Hosts in VLAN 50 cannot reach remote networks. What is the MOST likely cause?

The VIP is not in the same subnet as the SVI IP addresses
HSRP priorities are misconfigured, so no router becomes active
The HSRP group number does not match on the two switches
The default gateway on the hosts is set to the real IP of SW1 instead of the VIP

Show Answer

Answer: C) The HSRP group number does not match on the two switches

For routers to participate in the same HSRP group, they must use the same group number and VIP on the same interface/subnet. SW1 is using group 5 while SW2 is using group 15, so they form separate logical groups. SW1 is the only active router, but if SW1's path to the hosts is broken, there is no functioning standby. Matching the group numbers on both switches is required. The other options describe possible issues, but the command output directly reveals the mismatched group number.

Flashcards: Key FHRP Terms and Facts

Use these flashcards to reinforce core terminology and behaviors for first-hop redundancy.

First-hop redundancy protocols (list all 3 in order): The first-hop redundancy protocols are: HSRP, VRRP, GLBP.
Definition of default gateway: A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
Virtual IP (VIP): A virtual IP is an IP address shared by a group of routers running an FHRP. Hosts use it as their default gateway, while one router at a time owns and answers for it.
Virtual MAC address: A virtual MAC address is a MAC shared by an FHRP group. The active/master router uses it in ARP replies so frames sent to the gateway can transparently move between routers.
HSRP: Active vs Standby: In HSRP, the Active router forwards traffic for the virtual IP and MAC. The Standby router monitors hellos and takes over the virtual addresses if the Active fails.
VRRP: Master vs Backup: In VRRP, the Master router forwards traffic for the virtual IP and MAC. Backup routers listen and take over if the Master becomes unavailable.
HSRP priority and preempt: Higher HSRP priority wins the Active role. With preempt enabled, a higher-priority router can reclaim Active status when it comes back online after a failure.
Key HSRP show command: `show standby` (and `show standby brief`) display HSRP group state, VIP, priority, and which router is Active or Standby on each interface.
Key VRRP show command: `show vrrp` (and `show vrrp brief`) display VRRP state, VIP, priority, and which router is Master or Backup on each interface.
Common misconfiguration affecting gateway availability: Mismatched HSRP/VRRP group numbers or VIPs between routers cause them to form separate groups, preventing proper Active/Standby or Master/Backup redundancy.

Common Pitfalls and Exam-Oriented Tips

Wrong Default Gateway on Hosts

If hosts use a physical IP instead of the VIP, FHRP adds no resiliency. Exam items often hide this by showing correct HSRP but incorrect host gateway settings.

Group and VIP Mismatches

Routers must share group number, VIP, and subnet. Mismatches cause separate groups or no redundancy. Look for different group IDs in `show standby` outputs.

Interface and Subnet Issues

An SVI that is down or mis-addressed breaks FHRP. Always cross-check with `show ip interface brief` when troubleshooting why a router is not active/standby.

Preempt and Exam Focus

Know how preempt changes which router is active/master after recovery and be ready to list HSRP, VRRP, GLBP and explain their shared goal: a resilient default gateway.

Key Terms

SVI: Switched Virtual Interface, a virtual Layer 3 interface on a switch, commonly used as the default gateway for a VLAN.
GLBP: Gateway Load Balancing Protocol, a Cisco-proprietary first-hop redundancy protocol that provides both redundancy and load balancing across multiple routers.
HSRP: Hot Standby Router Protocol, a Cisco-proprietary first-hop redundancy protocol with Active and Standby roles that share a virtual IP and MAC address.
VRRP: Virtual Router Redundancy Protocol, an open-standard first-hop redundancy protocol with Master and Backup roles that share a virtual IP and MAC address.
Preempt: An FHRP feature that allows a higher-priority router to take over the active/master role when it comes back online after a failure.
HSRP priority: A numeric value that determines which router should be Active when multiple routers are in the same HSRP group; higher priority wins.
default gateway: A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
Virtual IP (VIP): An IP address that is not tied to a single physical interface but is shared by an FHRP group and used by hosts as their default gateway.
Virtual MAC address: A MAC address shared by an FHRP group; the router currently in the active/master role uses it to receive frames sent to the virtual gateway.
First-hop redundancy protocols: A family of protocols (HSRP, VRRP, GLBP) that allow multiple routers to share a virtual IP and MAC address so hosts have a resilient default gateway.

Why First-Hop Redundancy Matters

Single Gateway = Single Point of Failure

Idea of First-Hop Redundancy

Protocols You Must Know

Where This Fits in Your Skills

Virtual IP and Virtual MAC: The Illusion of a Single Gateway

Virtual IP (VIP)

Virtual MAC

Roles: Active and Standby

Why It Feels Seamless

Meet the FHRP Family: HSRP, VRRP, GLBP

Common Purpose

HSRP Basics

VRRP Basics

GLBP Basics

Designing a Resilient Default Gateway for a VLAN

Non-Redundant Design

Adding a Virtual Gateway

Failover Behavior

Host Perspective

HSRP Fundamentals and Configuration Workflow

HSRP on Cisco IOS

Key Config Elements

Optional Enhancements

CCNA Expectations

Hands-On: Basic HSRP and VRRP Config for a VLAN Gateway

Verifying and Interpreting FHRP Status

Verification Commands

HSRP Status Fields

VRRP Status Fields

End-to-End Testing

Thought Exercise: Mapping Traffic Flow During Failover

Quiz 1: Core Concepts of FHRP

Quiz 2: Configuration and Troubleshooting

Flashcards: Key FHRP Terms and Facts

Common Pitfalls and Exam-Oriented Tips

Wrong Default Gateway on Hosts

Group and VIP Mismatches

Interface and Subnet Issues

Preempt and Exam Focus

Key Terms

Finished reading?