SkarpChapter 17 of 29
First-Hop Redundancy: Keeping the Default Gateway Always Available
Protect default gateway availability with first-hop redundancy so hosts keep reaching remote networks even when a router fails.
Why First-Hop Redundancy Matters
The First Hop Problem
The first router a host talks to is the "first hop". If it fails, users often lose all access to remote networks, even if your core routing (for example OSPFv2) is still working.
Default Gateway Dependency
A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks. If that IP goes dark, hosts are stranded.
Enter FHRPs
First-hop redundancy protocols let multiple routers share a virtual IP and MAC so they look like one default gateway. If one router fails, another takes over that virtual identity.
Protocols in Scope
For CCNA you focus on HSRP (Cisco-proprietary) and VRRP (open standard). Both solve the same problem: keep the default gateway reachable even if a router dies.
Core Concepts: Virtual IP, Virtual MAC, and Roles
Virtual Gateway Identity
FHRPs introduce a virtual IP and virtual MAC. Hosts use the virtual IP as their default gateway, and switches forward to the virtual MAC, which moves between routers as needed.
Router Roles
Only one router is active (HSRP) or master (VRRP) at a time. Others are standby or backup, listening for failure and ready to take over the virtual IP and MAC.
ARP and the Virtual MAC
Hosts ARP for the default gateway IP. The active/master replies with the virtual MAC. Switches learn that MAC on the active router’s port and send all gateway-bound frames there.
Failover Behavior
When the active/master fails, a standby/backup starts using the same virtual MAC and IP. From the hosts’ perspective, the gateway IP and MAC stay the same, so no changes are needed.
Visualizing First-Hop Redundancy on a VLAN
Baseline Topology
VLAN 10: 192.168.10.0/24 with two routers, R1 and R2. Users should use 192.168.10.1 as their default gateway, but you do not want that tied to a single physical device.
Without FHRP
If R1 owns 192.168.10.1 and fails, every host loses remote connectivity until you manually move the IP or reconfigure hosts. There is no automatic first-hop failover.
With FHRP
R1 and R2 have real IPs (for example .2 and .3). They share a virtual IP 192.168.10.1 and a virtual MAC. R1 is active/master and forwards for the virtual IP.
Failover in Action
If R1 fails, R2 takes over the virtual IP and MAC. Hosts still send to 192.168.10.1, unaware of the change. Only the switch’s MAC table updates to R2’s port.
HSRP Fundamentals (Cisco Focus)
HSRP Groups
HSRP runs per interface in groups. Each group has a virtual IP and MAC, plus one active and one standby router. Other routers in the group sit in listen state.
HSRPv1 vs HSRPv2
HSRPv1 is older, supports 0–255 groups and IPv4. HSRPv2 supports more groups and IPv6, and uses a different virtual MAC format. Modern IOS commonly uses HSRPv2.
Election Rules
Highest HSRP priority wins active. If tied, highest interface IP wins. With preempt enabled, a higher-priority router can later take over as active when it comes online.
Timers and Hellos
Routers send HSRP hellos to detect each other and failures. Default hello/hold timers give about 10s failover but can be tuned for faster gateway redundancy.
Configuring Basic HSRP on Cisco IOS
Scenario Setup
You have VLAN 10 (192.168.10.0/24). R1 should be primary gateway, R2 backup. Virtual IP 192.168.10.1, R1 is .2, R2 is .3, and HSRP group number is 10.
R1 Configuration
On R1: configure SVI with 192.168.10.2, add `standby 10 ip 192.168.10.1`, set `priority 110`, and enable `preempt` so R1 becomes and stays active when available.
R2 Configuration
On R2: configure SVI with 192.168.10.3, same HSRP group and virtual IP, but lower priority (90). Also enable preempt so R2 can take over if R1 goes down.
Verifying HSRP
Use `show standby brief` to see the active and standby roles, priorities, and the virtual IP. On R1, you should see its state as Active and the virtual IP as 192.168.10.1.
VRRP Overview and Comparison to HSRP
What is VRRP?
VRRP is an open-standard first-hop redundancy protocol, similar to HSRP but supported by many vendors. It groups routers into a virtual router identified by a VRID.
Roles and Election
VRRP elects a master router based on highest priority (default 100). Others are backups. If priorities tie, highest real IP wins. Priority 255 means the router owns the virtual IP.
Cisco VRRP Syntax
On Cisco, VRRP is configured with `vrrp <group> ip <virtual-ip>` plus optional `priority` and `preempt`, similar in spirit to HSRP’s `standby` commands.
Exam Perspective
For CCNA, know that VRRP is standards-based, uses master/backup terms, and provides the same kind of default gateway redundancy as HSRP with slightly different defaults.
Thought Exercise: Tracing Traffic During Failover
Work through this mentally to strengthen your intuition about first-hop redundancy.
Topology
- VLAN 20: 10.20.0.0/24
- Virtual gateway IP: 10.20.0.1
- R1 real IP: 10.20.0.2 (active/master initially)
- R2 real IP: 10.20.0.3 (standby/backup)
- Host PC-A: 10.20.0.50, default gateway 10.20.0.1
Phase 1: Normal Operation
- PC-A wants to reach 8.8.8.8.
- It checks its ARP cache. If there is no entry for 10.20.0.1, it ARPs.
- Which router answers the ARP? What MAC address does it send?
- Which switch port learns that MAC?
- Which router performs the actual routing to 8.8.8.8?
Pause and answer those in your own words.
Phase 2: R1 Fails (link down)
- R2 stops hearing HSRP/VRRP hellos from R1.
- After the hold timer expires, R2 transitions to active/master.
- PC-A still has an ARP entry for 10.20.0.1 with the virtual MAC.
Now answer:
- Does PC-A need to send a new ARP request to keep working?
- What changes inside the switch when R2 takes over?
- What is different in the packet’s first hop compared to Phase 1?
Write down a short explanation (3–4 sentences) describing what changed and what did not change from the host’s perspective. This is the kind of reasoning CCNA scenario questions are testing.
Quiz 1: Core Concepts Check
Answer this question to confirm you understand virtual IP and roles.
In an HSRP group on a user VLAN, hosts use 192.168.50.1 as their default gateway. R1 has IP 192.168.50.2 and state Active. R2 has IP 192.168.50.3 and state Standby. Which statement is MOST accurate?
- Hosts send traffic directly to 192.168.50.2, and R2 only takes over if R1’s IP changes.
- Hosts send traffic to a virtual MAC associated with 192.168.50.1, which is currently owned by R1.
- Hosts must change their default gateway to 192.168.50.3 if R1 fails.
- Switches load-balance traffic between 192.168.50.2 and 192.168.50.3 by default.
Show Answer
Answer: B) Hosts send traffic to a virtual MAC associated with 192.168.50.1, which is currently owned by R1.
HSRP presents a virtual IP (192.168.50.1) and a virtual MAC to hosts. The Active router (R1) currently owns that virtual MAC and forwards the traffic. Hosts do NOT point directly at 192.168.50.2 or 192.168.50.3, and they do not need to change their default gateway during failover.
Quiz 2: Reading HSRP Output
Use this quiz to practice interpreting Cisco-style HSRP status.
You run `show standby` on R2 and see: Interface Vlan10 - Group 10 State is Standby Virtual IP address is 10.10.10.1 Active router is 10.10.10.2 Standby router is local Priority 90 (default 100) Which conclusion is MOST accurate?
- R2 is currently forwarding traffic for 10.10.10.1.
- R2 has a lower priority than the active router and is ready to take over if it fails.
- R2 is misconfigured because its state should be Active when it is local.
- R2 will never become active because it is not listed as the active router.
Show Answer
Answer: B) R2 has a lower priority than the active router and is ready to take over if it fails.
The output shows R2 is in Standby state with priority 90. The active router has IP 10.10.10.2, so some other router (likely R1) is active. R2 is the local standby and will take over the virtual IP if the active router fails, assuming timers and preempt behavior allow it.
Key Term Flashcards: First-Hop Redundancy
Use these flashcards to lock in terminology you will see on CCNA questions.
- default gateway
- A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
- First-hop redundancy protocol (FHRP)
- A family of protocols (such as HSRP and VRRP) that allow multiple routers on a LAN to share a virtual IP and MAC, so hosts have a resilient default gateway even if one router fails.
- Virtual IP address (FHRP context)
- An IP address that is not tied to a single physical interface but is shared by a group of routers running an FHRP and used by hosts as their default gateway.
- Virtual MAC address (FHRP context)
- A MAC address generated by an FHRP and associated with the virtual IP. It is owned by the active/master router and moves to a backup router during failover.
- HSRP Active router
- The router in an HSRP group that currently owns the virtual IP and MAC and forwards traffic sent to the virtual default gateway.
- HSRP Standby router
- The router in an HSRP group that is next in line to become Active if the current Active router fails.
- HSRP Priority
- A numeric value (default 100) used to elect the Active router. Higher priority wins; if tied, highest IP address wins.
- HSRP Preempt
- A feature that allows a router with higher priority to take over the Active role when it comes online, even if another router is currently Active.
- VRRP Master router
- The router in a VRRP group that currently forwards packets for the virtual IP address.
- VRRP Backup router
- A router in a VRRP group that listens for advertisements from the Master and takes over if the Master fails.
Design Tips, Tracking, and CCNA Exam Traps
Combining Concepts
Real networks mix VLANs, a routing protocol like OSPFv2 in the core, and FHRPs at the edge. FHRPs make sure each VLAN’s default gateway stays reachable.
Design Practices
Use consistent virtual gateway IPs (often .1) and balance roles so each distribution router is primary for some VLANs and backup for others, spreading traffic and risk.
Interface Tracking
HSRP/VRRP can track uplinks. If an uplink fails, the router’s priority drops so another router can become active, avoiding blackholes where the gateway is up but isolated.
Exam Gotchas
Watch for questions that mix real and virtual IPs, or mislead with `Standby router is local`. Remember: hosts always use the virtual IP as their default gateway, even after failover.
Key Terms
- HSRP
- Hot Standby Router Protocol, a Cisco-proprietary FHRP that provides a virtual default gateway using active/standby roles.
- VLAN
- A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
- VRRP
- Virtual Router Redundancy Protocol, an open-standard FHRP that provides a virtual default gateway using master/backup roles.
- OSPFv2
- Open Shortest Path First version 2 (OSPFv2) is a link-state interior gateway protocol used to exchange IPv4 routing information within a single autonomous system.
- HSRP Preempt
- An HSRP feature that allows a higher-priority router to take over the active role when it becomes available.
- HSRP Priority
- A numeric value used in HSRP to elect the active router; higher values are preferred.
- default gateway
- A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
- Virtual IP address
- An IP address shared by multiple routers running an FHRP and used by hosts as their default gateway, not bound permanently to a single physical interface.
- Virtual MAC address
- A MAC address generated and managed by an FHRP, associated with the virtual IP and owned by the active/master router.
- First-hop redundancy protocol (FHRP)
- A family of protocols (such as HSRP and VRRP) that allow multiple routers on a LAN to share a virtual IP and MAC, so hosts have a resilient default gateway even if one router fails.