Skip to main content
Your first session is free. Claim mine
PacketMentor logo
Open menu
Home
Training
Cisco Mentorship
CCNACCNP
Short Courses
Python for Network EngineersAI for Network OperationsDevNet Associate PrepInterview Sprint
Custom Training
Corporate Training
All training →
CCNA Library (74)
Browse all CCNA topics →
Network (13)
OSI Model & TCP/IPIPv4 AddressingTCP vs UDPSubnettingIPv6 BasicsARP — Address Resolution ProtocolICMP — Internet Control Message ProtocolTCP 3-Way HandshakeCabling & Media StandardsMTU & FragmentationWAN Connection TypesHierarchical Network DesignNetwork Virtualization & Containers
Device Operations (5)
Cisco IOS Device ManagementPower over Ethernet (PoE)Cisco IOS File SystemPassword Recovery & Configuration RegisterNetwork Troubleshooting Methodology
Network Access (12)
MAC Address TableVLANsTrunks & 802.1Q TaggingSpanning Tree Protocol (STP)EtherChannel (Link Aggregation)Switching OperationCDP & LLDP — Neighbor DiscoveryBPDU Guard & Root GuardCatalyst Boot ProcessVTP — VLAN Trunking ProtocolRapid STP & MSTPPrivate VLANs (PVLAN)
Wireless (6)
Wireless LAN BasicsWLAN Architectures — Autonomous, Centralized (WLC), Cloud, EmbeddedWi-Fi Security — WEP, WPA, WPA2, WPA3Wi-Fi 6, 6E, and 7 FeaturesWireless RF FundamentalsAccess Point Operating Modes
IP Connectivity (10)
Inter-VLAN RoutingStatic RoutingDefault RoutingRouting Decision ProcessFHRP — HSRP, VRRP & GLBPLayer-3 Switch & SVI RoutingOSPF Single-AreaRoute SummarizationIPv6 SLAAC & DHCPv6IPv6 Transition Mechanisms
IP Services (11)
HSRP vs VRRP vs GLBP — FHRP ComparedDHCP — Dynamic Host Configuration ProtocolNAT & PATDNS — Domain Name SystemNTP — Network Time ProtocolSyslogQoS BasicsSNMP — Simple Network Management ProtocolIGMP & IGMP SnoopingNTP Authentication & SecurityDHCP Relay & IP Helper
Security (10)
Access Control Lists (ACLs)Port SecurityDHCP SnoopingAAA · RADIUS & TACACS+802.1X — Port-Based Network Access ControlVPN Basics — IPsec & SSLDynamic ARP Inspection (DAI)IP Source Guard (IPSG)Encryption FundamentalsCybersecurity Threats & Mitigation
Automation (7)
REST APIs for Network EngineersAnsible for Network EngineersJSON, YAML & XML for Network EngineersNETCONF & YANGPython for Network EngineersSDN & Controller-Based NetworkingAI & ML in Network Operations
CCNP Library (15)
Browse all CCNP topics → SPAN, RSPAN & ERSPAN — Port MirroringGRE TunnelsEIGRPOSPF Multi-AreaIPv6 Routing — Static & OSPFv3BGP BasicsTCP Connection StatesCisco AnyConnect / Remote Access VPNCisco ISE BasicsNetFlow & Flow-Based MonitoringgRPC & gNMI — Streaming TelemetrySD-WAN ConceptsMPLS BasicsCisco DNA Center / Catalyst CenterVRF Basics — Virtual Routing and Forwarding
LabsPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
IP Connectivity Intermediate

FHRP — HSRP, VRRP & GLBP

First-hop redundancy protocols. How two routers share one virtual IP so hosts don't notice when their default gateway fails. Covers HSRP states, election, preemption, and the GLBP load-balancing twist.

TL;DR
  • FHRP lets two (or more) routers share one virtual gateway IP. If the active one dies, the standby takes over automatically — hosts don't reconfigure anything.
  • HSRP is Cisco-proprietary, VRRP is the open standard. They behave nearly identically.
  • GLBP is Cisco-only and also load-balances by handing different hosts different MACs for the same virtual IP.

Mental model

Hosts on a LAN are configured with one default gateway — typically a single IP. If that gateway router dies, every host on the LAN is suddenly cut off until someone reconfigures the gateway. Bad.

FHRP (First-Hop Redundancy Protocol) is the workaround. Two physical routers share a virtual IP that hosts use as the gateway. The active router answers ARP for that virtual IP. The standby sits quietly watching. If the active fails, the standby takes over the virtual IP within seconds — hosts never know anything changed.

Three flavors you’ll meet:

ProtocolOriginActive routersLoad balancing
HSRPCisco-proprietary1 active, others standbyNo (unless you split groups)
VRRPIETF open standard1 master, others backupNo
GLBPCisco-proprietaryAll active simultaneouslyYes — same virtual IP, different MACs

For CCNA: HSRP is what gets tested most. VRRP is conceptually identical with different terminology. GLBP is mentioned but rarely deep.

HSRP — the dominant CCNA topic

Two routers form an HSRP group (numbered 1–255). The group has a virtual IP and virtual MAC. Hosts use the virtual IP as their gateway.

Priority + preemption — who’s active

Each router has an HSRP priority (1–255, default 100). Higher priority becomes active. If priorities tie, higher IP wins.

R1(config-if)# standby 1 priority 110

But just having higher priority isn’t enough — by default, HSRP doesn’t auto-fail-back. If R1 boots first and becomes active, then R2 boots and has higher priority, R2 won’t take over unless preemption is enabled:

R1(config-if)# standby 1 preempt

Set preempt on both routers, with priority on the preferred-active one.

States (the lifecycle)

A router moves through these as it joins:

Disabled → Init → Listen → Speak → Standby → Active

The two that matter day-to-day:

  • Active — the router currently answering for the virtual IP
  • Standby — the runner-up, ready to take over

If you see a router stuck in Listen or Speak permanently, it’s a misconfiguration (priority/preemption issue, group mismatch).

Commands — HSRP basic config

! On R1 (active)
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip address 10.0.0.2 255.255.255.0
R1(config-if)# standby version 2
R1(config-if)# standby 1 ip 10.0.0.1               ! the virtual IP
R1(config-if)# standby 1 priority 110              ! higher than default 100
R1(config-if)# standby 1 preempt

! On R2 (standby)
R2(config)# interface GigabitEthernet0/0
R2(config-if)# ip address 10.0.0.3 255.255.255.0
R2(config-if)# standby version 2
R2(config-if)# standby 1 ip 10.0.0.1               ! same virtual IP, same group #
R2(config-if)# standby 1 priority 100              ! default — lower
R2(config-if)# standby 1 preempt

Always use standby version 2. Version 2 supports more groups and uses a different virtual MAC range — required for modern features.

Interface tracking — failover when an upstream link dies

What if R1’s WAN-facing interface dies but its LAN-facing interface is still up? Without help, R1 stays active — but it can’t actually reach the internet. Hosts pointing at the virtual IP get a black hole.

Object tracking monitors a tracked interface and adjusts priority when it goes down:

R1(config)# track 1 interface GigabitEthernet0/1 line-protocol

R1(config-if)# standby 1 track 1 decrement 20

If Gi0/1 goes down, R1’s HSRP priority drops by 20 (from 110 to 90) — below R2’s 100 — and R2 takes over.

Verification

R1# show standby
R1# show standby brief
R1# show standby vlan 10                 ! when running per-VLAN HSRP

show standby brief is the daily-driver — shows the group, virtual IP, current state, priority, and preempt status in one screen.

VRRP — same idea, open standard

R1(config-if)# ip address 10.0.0.2 255.255.255.0
R1(config-if)# vrrp 1 ip 10.0.0.1
R1(config-if)# vrrp 1 priority 110

VRRP differs from HSRP in three ways worth knowing:

  1. The master uses the actual virtual IP as one of its real IPs by default. (HSRP uses a separate virtual IP.)
  2. Multicast addresses differ (HSRP: 224.0.0.2, VRRP: 224.0.0.18).
  3. Vendor-agnostic, so VRRP works between Cisco and non-Cisco routers.

GLBP — when you want load balancing

In HSRP/VRRP, the standby router sits doing nothing 99% of the time. GLBP fixes this: all routers in the group are active simultaneously, and hosts get different MACs for the same virtual IP — so traffic load-balances across the routers.

R1(config-if)# glbp 1 ip 10.0.0.1
R1(config-if)# glbp 1 priority 110

GLBP elects an AVG (Active Virtual Gateway) which assigns AVF (Active Virtual Forwarder) roles. Cisco-only. Less commonly tested on CCNA but worth recognizing.

Common mistakes

  1. Different HSRP groups on each router for the same VLAN. Both routers need to be in the same group (same number). Mismatch → both stay Active independently, hosts get inconsistent gateways.

  2. Forgetting preempt. Configure priority but not preempt → router with priority 110 still doesn’t take over from a router with 100. Add preempt on both.

  3. Different virtual IPs configured on the two routers. They must match exactly. Easy typo, hard to spot.

  4. No tracking of upstream. Setting priority + preempt without tracking means HSRP fails over only when the actual LAN-facing interface dies — not when the WAN-facing interface dies. Always add tracking.

  5. Using HSRP version 1 in 2026. Version 1 supports only 256 groups per interface and uses old virtual MAC formats. Always use standby version 2.

  6. Different timers between routers. Hello / hold timers must match: standby 1 timers 1 3. Both ends.

Lab to try tonight

  1. Two routers (R1, R2), one LAN switch, two PCs.
  2. Configure both routers with IPs in 10.0.0.0/24 (R1=.2, R2=.3). Both reach the same upstream.
  3. Configure HSRP group 1, virtual IP 10.0.0.1, R1 priority 110, R2 priority 100, preempt on both.
  4. Set both PCs’ default gateway to 10.0.0.1. Ping anywhere external — works through R1.
  5. Run show standby brief — R1 should be Active.
  6. Shut R1’s LAN interface. Watch R2 take over within seconds. Pings continue.
  7. Re-enable R1. Watch R2 give Active back to R1 (because of preempt + priority).
  8. Bonus: configure object tracking on R1’s upstream interface. Shut it. Confirm R2 takes over (priority decrement working).

Cheat strip

ConceptPlain English
FHRPFirst-Hop Redundancy Protocol — shared gateway IP for failover
HSRPCisco-proprietary. CCNA’s default FHRP topic.
VRRPIETF open standard. Cross-vendor.
GLBPCisco-only. Load-balances by handing out different MACs.
Virtual IPThe IP hosts use as their gateway
Active / StandbyHSRP states (Master / Backup in VRRP)
Priority1–255, higher wins (default 100)
PreemptRequired to actually let a higher-priority router take over
TrackingLower priority when an upstream interface dies
Version 2Always use this on modern HSRP
← Previous topic

Routing Decision Process

How a router actually decides where to forward a packet. Longest prefix match, administrative distance, and metric — in that order. Covers why a /30 static beats a /16 OSPF even though OSPF is the better protocol.
Next topic →

SPAN, RSPAN & ERSPAN — Port Mirroring

How to copy traffic from one switch port to another for analysis. Covers local SPAN, RSPAN across switches via VLAN, ERSPAN over GRE for remote sites, and when each one is the right call.
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Related topics

IP Connectivity

Default Routing

The catch-all route every edge router needs. Covers static defaults, dynamic defaults (originated by OSPF/EIGRP/BGP), gateway of last resort, and the difference between a default and a summary route.

 Network Access

Spanning Tree Protocol (STP)

Definitive CCNA-level STP guide — why loops are catastrophic, bridge ID + priority election, three port roles, five port states, BPDU anatomy, PortFast + BPDU Guard + Root Guard + Loop Guard, RSTP convergence, MSTP overview, and 8 worked scenarios.

 IP Connectivity

Static Routing

Definitive CCNA-level static routing guide — next-hop vs exit-interface vs fully-specified, default routes, floating statics, summary routes, recursive lookup, IPv6 statics, AD reference, 8 worked scenarios, and the static-routing debug workflow.

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.

Start typing — or browse popular topics below.

↑↓ navigate open Searches topics · labs · programs · pages