FHRP | Network+ N10-009

Slide 1 of 8 | N10-009 Obj 2.4 | High Availability

FHRP — First Hop
Redundancy Protocols

One virtual gateway. Multiple physical routers. Automatic failover.

Your default gateway router fails. 500 users lose internet access because their gateway IP is gone. FHRP gives you a virtual IP that survives router failure — automatic failover with no client reconfiguration.

8 Slides N10-009 Obj 2.4 HSRP / VRRP / GLBP High Availability

Slide 2 of 8

The Single Point of Failure Problem

Every client hard-codes one default gateway. That is the problem.

Without FHRP

Every device on the subnet has one gateway configured: 10.0.0.1. That IP belongs to Router A — one physical interface on one device. Router A fails at 2 AM. 10.0.0.1 is gone. All 500 clients stop routing. No internet, no inter-VLAN, nothing. They will not recover until someone manually changes 500 devices or Router A comes back.

With FHRP

Clients configure the virtual IP: 10.0.0.1. That IP is shared between Router A (active) and Router B (standby). It does not belong to either physical interface. Router A fails. Router B detects the failure within seconds and assumes the virtual IP. Clients never know. No reconfiguration. Seamless.

Virtual Gateway

10.0.0.1

|

Router A (Active)

10.0.0.2

Router B (Standby)

10.0.0.3

|

500 Clients

gateway: 10.0.0.1

Clients always target the virtual IP.
Physical router IPs are irrelevant to them.

Slide 3 of 8

HSRP — Hot Standby Router Protocol

Cisco proprietary. Active/standby model. The most common exam protocol.

How HSRP Works

One router is elected Active — it owns the virtual IP and virtual MAC, forwards all traffic.
One router is Standby — listens for hellos from the Active, ready to take over.

Hello timer: default 3 seconds — how often Active sends hellos
Hold timer: default 10 seconds — how long Standby waits before declaring Active dead
Failover happens within hold timer seconds of Active failure.

Priority + Preemption

Priority: 0–255. Higher wins the Active election. Default is 100.
Set Router A to priority 110 to ensure it stays Active.
Preemption: must be explicitly enabled. Without it, if Router A fails and Router B takes over, Router A will NOT reclaim Active when it returns — even with higher priority. With preemption enabled, Router A reclaims immediately.

HSRP Virtual MAC

HSRP uses a well-known virtual MAC: 0000.0C07.ACxx where xx is the HSRP group number in hex. Group 1 = 0000.0C07.AC01. Clients ARP for the virtual IP and get this virtual MAC. When failover occurs, the new Active responds to ARPs with the same virtual MAC — no ARP table update required on clients.

HSRP Versions

HSRPv1: 255 groups, multicast 224.0.0.2, UDP 1985
HSRPv2: 4096 groups, multicast 224.0.0.102, improved millisecond timers
Versions are not interoperable on the same group — both routers must match.

Exam tip: HSRP is Cisco proprietary. If the question specifies "open standard," the answer is VRRP. If the question asks about load balancing across gateways, the answer is GLBP.

Slide 4 of 8

VRRP — Virtual Router Redundancy Protocol

Open standard (RFC 5798). Works on any vendor. Master/backup model.

VRRP vs HSRP Differences

VRRP uses Master (not Active) and Backup (not Standby) — same concept, different names.

Key difference: the Master router's real IP can be the virtual IP. No separate virtual IP is required if you use the Master's physical IP as the VIP. HSRP always requires a distinct virtual IP.

Advertisement interval: default 1 second (faster than HSRP's 3s)
Master down interval: 3 x advert interval + skew time
Multicast: 224.0.0.18 | Protocol: IP protocol 112

Virtual MAC

VRRP virtual MAC: 00-00-5E-00-01-xx where xx is the VRRP group (VRID) in hex. Same concept as HSRP — clients ARP for the VIP and get the virtual MAC regardless of which physical router currently holds Master role.

When to Choose VRRP

Multi-vendor environment — Cisco ASA + Juniper SRX + Palo Alto. HSRP only runs on Cisco. VRRP runs on everything. RFC 5798 (VRRPv3) also supports IPv6 natively. Any new deployment not locked into Cisco should default to VRRP.

Priority + Preemption

Priority: 1–254. Default 100. Higher wins Master election.
Priority 255 is reserved for the router that owns the virtual IP address physically.
Preemption is enabled by default in VRRP — opposite of HSRP where you must explicitly enable it. A returning high-priority router will automatically reclaim Master.

VRRP preemption is ON by default. HSRP preemption is OFF by default. This difference appears on CompTIA exams. Know it.

Slide 5 of 8

GLBP — Gateway Load Balancing Protocol

Cisco proprietary. The only FHRP that actively distributes traffic across multiple gateways.

How GLBP Differs

HSRP and VRRP: one router forwards, the rest idle. Standby routers sit unused.

GLBP: all routers forward simultaneously. One virtual IP is shared but each router gets its own virtual MAC. When a client ARPs for the virtual IP, the AVG (Active Virtual Gateway) assigns a different virtual MAC to each client using round-robin or weighted load balancing. Client A uses Router A's MAC. Client B uses Router B's MAC. Both gateways carry traffic simultaneously.

GLBP Roles

AVG (Active Virtual Gateway): owns the virtual IP, responds to ARPs, assigns virtual MACs to other routers. One per group.

AVF (Active Virtual Forwarder): each router in the group. Each AVF has its own virtual MAC and forwards traffic for the clients assigned to it. Up to 4 AVFs per GLBP group.

Load Balancing Methods

Round-robin: assigns virtual MACs in rotation. Equal distribution.
Weighted: assigns more MACs to higher-weighted routers. Proportional distribution.
Host-dependent: same client always gets the same virtual MAC. Useful for stateful applications.

When to Choose GLBP

Multiple gateway routers with spare capacity that is currently idle. High-traffic environments where one active gateway is a throughput bottleneck. Cisco-only environment — GLBP is proprietary, no open-standard equivalent.

GLBP virtual MAC format: 0007.B4xx.xxyy where xx.xx is the group number and yy is the AVF number. The AVG assigns each AVF's MAC to clients via ARP replies.

Slide 6 of 8

Virtual IP + MAC — How It Actually Works

Clients talk to the virtual MAC, not the router's real MAC.

Normal ARP Process (No FHRP)

Client needs to send traffic to internet. Destination is outside subnet — use gateway.
Client ARPs: "Who has 10.0.0.1?" Router A replies: "I do. My MAC is AA:BB:CC:DD:EE:01."
Client caches that mapping. Traffic flows via Router A's real MAC. Router A fails. ARP entry expires. Client re-ARPs. No reply. Connection dies.

FHRP ARP Process

Client ARPs: "Who has 10.0.0.1?" Active/Master router replies with the virtual MAC — not its real MAC.
Client caches: 10.0.0.1 = virtual MAC (e.g., 0000.0C07.AC01 for HSRP group 1).
Router A fails. Router B takes over and now responds to ARPs using the same virtual MAC. Client's ARP cache still valid. Traffic flows without interruption. Client never knows.

Gratuitous ARP on Failover

When the new Active takes over, it sends a gratuitous ARP — an unsolicited ARP reply advertising the virtual IP/MAC mapping. This forces immediate update of ARP caches on all devices in the subnet, including switches (which update their MAC address tables to point to the new physical port). No waiting for ARP entries to expire.

Why Separate Virtual MACs Matter

Switches maintain MAC address tables mapping MAC addresses to physical ports. Without virtual MACs, the switch would need to relearn which port the real MAC is on after failover. With virtual MACs, the gratuitous ARP updates the switch table to point the virtual MAC to the new physical port. Failover is sub-second for frames already on the wire.

Slide 7 of 8

Failover Process + Configuration Basics

What happens second-by-second when the active gateway fails.

HSRP Failover Timeline

T=0 Router A fails Power loss, link down, or hardware fault — hello packets stop transmitting

T=0 to 10s Hold timer counts down Router B expects a hello every 3s. After 10s of silence, it declares Active dead

T=10s Router B transitions to Active Assumes virtual IP and virtual MAC. Sends gratuitous ARP to update all caches

T=10s+ Traffic resumes Clients traffic now flows through Router B. TCP sessions that were mid-flight are dropped — must reconnect

Recovery Router A returns Without preemption: Router B stays Active. With preemption enabled: Router A reclaims Active (higher priority wins)

HSRP Config Example (Cisco IOS)

                        interface GigabitEthernet0/0

                         ip address 10.0.0.2 255.255.255.0

                         standby 1 ip 10.0.0.1      ! VIP

                         standby 1 priority 110   ! Win election

                         standby 1 preempt       ! Reclaim on return

                         standby 1 timers 3 10   ! hello hold

Timer Tuning

Default hold timer is 10 seconds — that is 10 seconds of gateway outage. Tuning to sub-second timers (1ms hello, 3ms hold) dramatically reduces failover time but increases CPU and bandwidth overhead on the routers. Most production deployments use 1s/3s as a balance.

Slide 8 of 8 | N10-009 Obj 2.4

HSRP vs VRRP vs GLBP: Exam Comparison

Feature	HSRP	VRRP	GLBP
Standard	Cisco proprietary	RFC 5798 (open)	Cisco proprietary
Active role name	Active	Master	AVG / AVF
Standby role name	Standby	Backup	Backup AVG
Load balancing	No (one active)	No (one master)	Yes — all routers forward
Virtual MAC	0000.0C07.ACxx	00-00-5E-00-01-xx	0007.B4xx.xxyy
Multicast address	224.0.0.2 (v1) / 224.0.0.102 (v2)	224.0.0.18	224.0.0.102
Preemption default	Off (must enable)	On (enabled by default)	Off (must enable)
Priority range	0 – 255 (default 100)	1 – 254 (default 100)	1 – 255 (default 100)
IPv6 support	HSRPv2 only	VRRPv3 native	Limited

1 FHRP solves the single-point-of-failure gateway problem using a virtual IP shared between physical routers.

2 HSRP = Cisco, Active/Standby. VRRP = open standard, Master/Backup, preempt ON by default. GLBP = load balances across all routers.

3 Failover: Active fails → hold timer expires → Standby claims virtual IP → gratuitous ARP updates all caches. TCP sessions drop and must reconnect.

FHRP N10-009