Skip to main content
HashnodeNetworking Basics

Command Palette

Search for a command to run...

FHRP and HSRP: Keeping Your Network Online Without Downtime

Updated
11 min read
P
Pits

In a perfect world, network devices would never fail. But in reality, routers can go down because of hardware issues, software bugs, or simple maintenance work. When that happens, your network can lose its connection and cause interruptions for users. This is where First Hop Redundancy Protocols (FHRP) come in.

FHRP is a set of technologies that make sure your network stays connected even if your main router fails. One of the most common versions is the Hot Standby Router Protocol (HSRP). It works by having a backup router ready to take over instantly when the primary one goes offline. In this post, we’ll go over what FHRP and HSRP are, why they matter, and how they help keep your network running smoothly.

What is FHRP?

FHRP stands for First Hop Redundancy Protocol. It’s a group of protocols that make sure there’s always a working “default gateway” in your network.

Think of the default gateway like the exit door of your network. When devices need to reach the internet or another network, they go through it. If that exit door (your main router) goes down, no one can get out.

FHRP solves this by having a backup device ready to take over instantly if the main one fails. This way, users won’t notice anything and the connection keeps working.

Common examples of FHRP are:

  • HSRP (Hot Standby Router Protocol)

  • VRRP (Virtual Router Redundancy Protocol)

  • GLBP (Gateway Load Balancing Protocol)

What is Gratuitous ARP?

Gratuitous ARP is a way for a device to quickly tell the whole network, “Hey, I’m using this IP address now!”

Here’s why this matters: when the backup router takes over in FHRP, it needs to make sure all connected devices know where to send traffic. By sending a gratuitous ARP, it updates everyone’s ARP tables with its own MAC address for the virtual IP. This avoids delays and keeps traffic flowing without manual changes.

What is Preemptive?

Preemptive means the original primary router can take back its role when it comes back online.

Example:

  • Router A is the main gateway.

  • Router B is the backup.

  • Router A goes down, so Router B takes over.

  • Later, Router A is fixed and back online.

If preemptive mode is on, Router A will automatically reclaim its main role.
If it’s off, Router B will stay as the main until something changes manually or it fails.

Now that we’ve covered the basics of FHRP, let’s focus on one of its most common versions: HSRP.

What is HSRP?

HSRP stands for Hot Standby Router Protocol. It’s a Cisco-developed protocol that provides network redundancy for your default gateway. Instead of pointing your devices directly to one physical router, HSRP creates a virtual gateway that’s always available, even if one router fails.

Think of it like this: you have two doors leading out of your house, but from the inside, you only see one. If the first door gets blocked, the second one opens instantly without you even noticing.

HSRP achieves this by using two main roles:

  • Active Router – The one currently forwarding traffic for the network.

  • Standby Router – The backup router, ready to take over if the active one fails.

How HSRP Works

  1. Virtual IP and Virtual MAC

    • Virtual IP – This is the IP address that all devices use as their default gateway. It doesn’t belong to just one router, but is shared between the active and standby.

    • Virtual MAC – A special MAC address linked to the virtual IP. It also moves between routers during a failover so devices always know where to send traffic.

When a failover happens, the new active router sends a gratuitous ARP to update all devices on the network that the virtual IP is now tied to its MAC address.

  1. Election Process
    When HSRP starts, routers in the same HSRP group send hello messages to each other using multicast. They use these messages to decide which router becomes active and which one becomes standby.

    • The router with the highest priority becomes the active router.

    • If priorities match, the router with the higher IP address wins.

  2. Failover
    If the active router stops sending hello messages (due to failure, disconnection, or maintenance), the standby router immediately takes over the virtual IP and MAC, keeping the network online.
    If preemptive mode is enabled, the original active router will reclaim its role when it comes back online.

HSRP Versions

HSRP has two versions, and the main differences are the group number range, the multicast address it uses for hello messages, and the format of the virtual MAC address.

  • HSRP Version 1

    • Group numbers: 0 to 255

    • Multicast IPv4 address: 224.0.0.2 (all routers)

    • Virtual MAC address format: 0000.0C07.ACxx

      • The xx at the end is the HSRP group number in hexadecimal.

  • HSRP Version 2

    • Group numbers: 0 to 4095 (supports more groups)

    • Multicast IPv4 address: 224.0.0.102

    • Virtual MAC address format: 0000.0C9F.Fxxx

      • The xxx at the end is the HSRP group number in hexadecimal.

Now that you understand how HSRP works, let’s look at another popular First Hop Redundancy Protocol: VRRP.

What is VRRP?

VRRP stands for Virtual Router Redundancy Protocol. It’s an open standard, which means it’s not limited to Cisco devices. You can use it on routers and switches from different vendors. Like HSRP, VRRP provides a virtual gateway so that if one router fails, another can take over instantly without users noticing.

Think of VRRP as the universal version of HSRP. It works on the same principle: one device actively forwards traffic while others wait in line to take over if needed.

Roles in VRRP

  • Master Router – The router actively forwarding traffic for the virtual IP.

  • Backup Routers – One or more routers ready to take over if the master fails.

How VRRP Works

  1. Virtual IP and Virtual MAC

    • Virtual IP – The IP address that devices use as their default gateway. In VRRP, the virtual IP is often the same as one of the master router’s actual interface IP addresses (unlike HSRP, where it’s always separate).

    • Virtual MAC – VRRP also uses a shared MAC address for the virtual IP. This MAC moves to the backup router during failover, and a gratuitous ARP is sent so devices know where to send traffic.

  2. Election Process

    • VRRP routers send advertisements (similar to HSRP hello messages) to decide the master.

    • The router with the highest priority becomes the master.

    • If priorities are the same, the router with the highest IP address wins.

    • If the master stops sending advertisements, the backup with the next highest priority takes over.

  3. Preemption

    • Preemption is enabled by default in VRRP, so if a higher-priority router comes back online, it automatically takes back the master role.

VRRP Versions

  • Version 2 – Supports IPv4.

  • Version 3 – Supports both IPv4 and IPv6.

Multicast IPv4 Address and Virtual MAC

  • Multicast IPv4 address: 224.0.0.18 (used for VRRP advertisements)

  • Virtual MAC address format: 0000.5E00.01xx

    • xx is the VRRP group number in hexadecimal.

We’ve seen how HSRP and VRRP keep your network gateway online during failures, but both work in an “all traffic goes to one active router” setup. This is where GLBP comes in. It not only provides redundancy but also balances traffic across multiple routers.

What is GLBP?

GLBP stands for Gateway Load Balancing Protocol. It’s a Cisco-proprietary FHRP that takes redundancy one step further by letting multiple routers share the traffic load at the same time. Instead of having one router do all the work while the other just waits, GLBP allows all routers in the group to actively forward traffic.

Imagine you have two exits from a building. In HSRP or VRRP, everyone uses one exit, and the other only opens if the first is blocked. In GLBP, people are split between both exits, so no one gets stuck in a long line.

Roles in GLBP

GLBP uses three main roles:

  • Active Virtual Gateway (AVG) – The router that assigns virtual MAC addresses to other routers in the group and keeps track of who is active.

  • Active Virtual Forwarder (AVF) – A router that actively forwards traffic for one of the virtual MAC addresses. Multiple AVFs can exist at the same time.

  • Listen – Routers in listening mode are ready to become an AVF if one fails.

How GLBP Works

  1. Virtual IP and Multiple Virtual MACs

    • Virtual IP – All hosts in the network use the same virtual IP as their default gateway.

    • Virtual MACs – GLBP creates a separate virtual MAC address for each router (AVF) in the group. The AVG gives these MACs to clients in a round-robin fashion (or based on other load-balancing methods). This spreads the traffic evenly among routers.

  2. Election Process

    • The router with the highest priority becomes the AVG.

    • If priorities match, the router with the highest IP address wins.

    • The AVG assigns virtual MAC addresses to other routers so they can forward traffic.

  3. Failover

    • If the AVG fails, another router with the next highest priority becomes the new AVG.

    • If an AVF fails, its virtual MAC is taken over by another router to keep forwarding traffic without interruption.

  4. Preemption

    • Like VRRP, GLBP supports preemption so that a higher-priority router can take back its role when it comes back online (if configured).

Multicast IPv4 Address and Virtual MAC

  • Multicast IPv4 address: 224.0.0.102

  • Virtual MAC address format: 0007.B4xx.xxxx

    • The xxxx.xxxx part is assigned per virtual forwarder number.

Now that we’ve gone through HSRP, VRRP, and GLBP, you can probably see they share the same main goal, keeping your default gateway online but each has its own way of doing it. To make the differences clearer, here’s a side-by-side comparison so you can quickly see how they stack up.

FeatureHSRPVRRPGLBP
TypeCisco proprietaryOpen standardCisco proprietary
Main FunctionRedundancyRedundancyRedundancy + Load Balancing
RolesActive / StandbyMaster / BackupAVG (Active Virtual Gateway) / AVFs (Active Virtual Forwarders)
Preemption DefaultOffOnOff
Versions1 & 22 (IPv4), 3 (IPv4 & IPv6)1
Group Number RangeV1: 0–255, V2: 0–40951–255 (v2), 1–255 for IPv4 and IPv6 (v3)0–1023
Multicast IPv4 AddressV1: 224.0.0.2, V2: 224.0.0.102224.0.0.18224.0.0.102
Virtual MAC AddressV1: 0000.0C07.ACxx V2: 0000.0C9F.Fxxx0000.5E00.01xx0007.B4xx.xxxx
Load BalancingNoNoYes
Vendor SupportCisco onlyMulti-vendorCisco only

We’ve talked about how HSRP works and why it’s useful. Now let’s make it more practical by looking at how to configure it. Don’t worry if you’re new, this will be a simple example so you can follow along step-by-step.

For this setup, imagine you have two Cisco routers connected to the same network segment. We want them to share one virtual IP so that if the first router fails, the second one takes over automatically.

Basic HSRP Configuration

Router 1 (Active Router)

interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 standby 1 ip 192.168.1.254
 standby 1 priority 150
 standby 1 preempt

Router 2 (Standby Router)

interface GigabitEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 standby 1 ip 192.168.1.254
 standby 1 priority 50
 standby 1 preempt

What’s Happening Here?

  • standby 1 ip 192.168.1.254 → This is the virtual IP that both routers share. Your PCs will use this as their default gateway.

  • priority → The router with the higher number becomes the active router (here, Router 1 has 150, so it’s active).

  • preempt → Lets a router take back the active role if it has a higher priority and comes back online.

  • The default HSRP priority is 100. If you don’t set a priority, it will automatically use 100, and the router with the higher IP address will win if priorities are the same.

With this setup, if Router 1 fails, Router 2 takes over the virtual IP and MAC. When Router 1 comes back, it will reclaim its active role because preempt is enabled.

Important: Both routers in the same HSRP group must use the same HSRP version. If one is on Version 1 and the other on Version 2, they won’t talk to each other, and HSRP will not work.

Once HSRP is configured, you can check its status using the command:

show standby

This command shows you:

  • Which router is active and which is standby

  • The virtual IP and virtual MAC in use

  • The priority values for each router

  • The HSRP version running

  • The hello and hold timers

  • Whether preempt is enabled

It’s a quick way to confirm that HSRP is working and that your failover setup is ready.

Wrap up

HSRP might sound complicated at first, but it’s simply about keeping your network gateway available even if one router goes down. With a shared virtual IP and virtual MAC, your devices don’t need to know which router is active, they just keep working.

I’m not claiming to be an expert here. I’m just sharing what I’ve learned while studying HSRP. Setting it up in a lab really helped me understand how the active and standby roles work, how priorities decide the winner, and why using the same HSRP version on both routers is so important.

If you’re learning this too, I highly recommend getting hands-on. Try changing priorities, enabling and disabling preempt, and then watch the results with the show standby command. Seeing the failover happen in real time is the best way to make HSRP click in your mind.

The more you practice, the more natural it will feel and you’ll be ready to design a network that stays up even when a router goes down.

#fhrp#networking#networking-for-beginners#hsrp

More from this blog

Networking Basics

42 posts