Cisco First Hop Redundancy Protocols: HSRP, VRRP, GLBP


When designing a network, one of the common things to focus on after simple access is how the network will deal with failure. Part of this process is trying to build as much redundancy into the design as financially possible, while also maintaining performance and manageability. From the client’s perspective, the first piece of the network they deal without, outside of their local subnet, is the default gateway; if this gateway were to go down, then access to an entire subnet (at least) would go down. One of the ways to deal with this is to implement a first hop redundancy protocol. On Cisco equipment, there are a couple of different options to choose from, including Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP) and Gateway Load Balancing Protocol (GLBP). This article gives an overview of these options and how they differ.

Hot Standby Router Protocol (HSRP)

HSRP is a Cisco proprietary protocol that enables the network engineer to configure multiple redundant routers that exist on the same subnet; each can be used as a gateway for the devices on the subnet. Without HSRP, each of the devices on the subnet would need to be individually configured to use a specific gateway, effectively not providing redundancy but limiting the number of clients that would be affected if a router were to go down. With HSRP, a group of routers (gateways) will be configured together, and a single HSRP virtual IP address and MAC address will be created that are used by the devices on the subnet. The different routers in the HSRP will communicate to a select single active gateway that handles all live traffic. At this point, a single standby gateway is also selected. This standby gateway communicates with the active gateway via multicast and will detect should the active gateway fail. When this happens, one of the standby gateways will take over the duties of the active gateway and continue traffic forwarding without much (if any) delay. When this happens, a new standby gateway is also selected.

Virtual Router Redundancy Protocol (VRRP)

VRRP is an open standard that can be used in environments where equipment from multiple vendors exists. Its operation is similar to HSRP but differs in a couple of ways. In VRRP, like with HSRP, a group is configured that contains a number of routers (gateways); one will be selected by the network engineer to be the master. The master router’s physical IP address of the interface connecting the subnet is used by the clients as a default gateway. The backup members of the VRRP group will communicate with the master gateway and take over the duties of forwarding traffic, should the master fail. The IP address used always belongs to the master router which is referred to as the IP address owner. When the master router recovers, it will take back the duties of routing for that IP address.

It is possible to have multiple VRRP groups on a single subnet, which can be used to spread the load of the traffic coming off of a subnet. However, this must be done manually at the client’s location, by changing their default gateway addresses.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Gateway Load Balancing Protocol (GLBP)

GLBP is another Cisco proprietary protocol that can be used for first hop redundancy. GLBP offers something that the first two does not: dynamic load balancing. With GLBP, unlike HSRP or VRRP, all of the routers that exist within the GLBP group are active and are forwarding traffic. When a GLBP group is configured, one of the routers within the group will be elected as the Active Virtual Gateway (AVG); each of the other routers will back up the AVG, should it fail. The AVG is responsible for assigning virtual MAC addresses to each of the members of the GLBP group; each of these members is referred to as an Active Virtual Forwarder (AVF). The AVG is responsible for responding to ARP request by subnet devices, and selecting which group’s router will handle the traffic. The IP address of the default gateway is the same across all of the subnet devices; this IP address is virtual.  When the device ARPs for a MAC address, the AVG will respond with one of the virtual MAC addresses. This way, the AVG is able to control which router will handle the load of each individual subnet device.


Obviously, like most things in networking, there are a number of options available which can each be used to solve a specific problem. Two of the three solutions discussed above are specific to Cisco equipment, and thus can only be used in implementations where only Cisco equipment is used (at least across the gateways). VRRP is an option implementation which is supported on multiple vendors’ equipment and thus provides an option that opens the door to non-Cisco equipment. GLBP offers the ability to dynamically load balance traffic, which is a big advantage as it takes advantage of all available bandwidth and does not waste these resources. Which one to select depends a great deal on the specific situation and should each be considered depending on the details of the implementation. Hopefully the content of this article will at least give the reader an idea of the available options that can be used to solve this problem.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (1)

One response to “Cisco First Hop Redundancy Protocols: HSRP, VRRP, GLBP”

  1. <p>Hey Dear, is there any other way of link redundancy?</p><p>an talk with a guy we spok about using internal routing protocol for</p>

Leave a Reply

Live Webinar - Thursday, December 2nd! Active Directory Masterclass: AD Configuration Strategies for Stronger SecurityREGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: