← Back to articles

Router Redundancy: VRRP, HSRP, and GLBP

27 Jul 2025 • Network • 15 min read

Your default gateway is a single point of failure. If your router dies, all hosts lose internet access, even if you have a backup router sitting idle. Router redundancy protocols solve this by creating a virtual gateway that multiple routers share.

Imagine a building with one exit door. If that door is blocked, everyone is trapped. Router redundancy is like having multiple exit doors that all lead to the same "Exit" sign. If one door is blocked, people automatically use another door without changing their path.

The Problem: Default Gateway Failure

Typical Network Setup

           [Internet]
               |
           [Router]  ← Single point of failure!
               |
           [Switch]
          /   |   \
        PC1  PC2  PC3

All PCs configured with:
  Gateway: 192.168.1.1 (Router's IP)

If the router fails, all PCs lose connectivity. Even if you add a second router, PCs don't know to use it because their gateway is statically configured.

The Solution: Virtual IP

           [Internet]
            /     \
    [Router A]   [Router B]
    192.168.1.2  192.168.1.3
           \     /
        Virtual IP: 192.168.1.1  ← PCs use this!
              |
          [Switch]
         /   |   \
       PC1  PC2  PC3

All PCs configured with:
  Gateway: 192.168.1.1 (Virtual IP)

The Virtual IP (VIP) is shared between routers. One router is active (handles traffic), the other is standby (ready to take over). Failover is automatic and invisible to hosts.

FHRP Overview

FHRP (First Hop Redundancy Protocol) is the category name for these protocols:

Protocol Standard Vendor Load Balancing
VRRP RFC 5798 Open standard No (native)
HSRP Proprietary Cisco No (native)
GLBP Proprietary Cisco Yes

VRRP: Virtual Router Redundancy Protocol

How VRRP Works

VRRP creates a virtual router with its own IP and MAC address. Multiple physical routers participate in a VRRP group:

  • Master: Actively forwards traffic (highest priority)
  • Backup: Monitors master, ready to take over

VRRP Facts:

  • RFC 5798 (open standard)
  • IP Protocol 112
  • Multicast: 224.0.0.18
  • Virtual MAC: 00:00:5E:00:01:XX (XX = VRID)
  • Default priority: 100 (range 1-254)
  • Advertisement interval: 1 second default

VRRP States

State Description
Initialize Starting up, not participating yet
Master Active router, responds to VIP, forwards traffic
Backup Standby, monitors master, ready to take over

VRRP Configuration (Cisco)

! Router A (Master)
Router-A(config)# interface GigabitEthernet0/0
Router-A(config-if)# ip address 192.168.1.2 255.255.255.0
Router-A(config-if)# vrrp 1 ip 192.168.1.1
Router-A(config-if)# vrrp 1 priority 110
Router-A(config-if)# vrrp 1 preempt
Router-A(config-if)# vrrp 1 timers advertise 1

! Router B (Backup)
Router-B(config)# interface GigabitEthernet0/0
Router-B(config-if)# ip address 192.168.1.3 255.255.255.0
Router-B(config-if)# vrrp 1 ip 192.168.1.1
Router-B(config-if)# vrrp 1 priority 100
Router-B(config-if)# vrrp 1 preempt

! Verify
Router# show vrrp
Router# show vrrp brief
Router# show vrrp interface GigabitEthernet0/0

VRRP Configuration (Linux with Keepalived)

Keepalived is the standard way to implement VRRP on Linux.

# Install keepalived
# Debian/Ubuntu
sudo apt install keepalived

# CentOS/RHEL
sudo dnf install keepalived

Master Configuration

# /etc/keepalived/keepalived.conf (Router A - Master)

global_defs {
    router_id ROUTER_A
    script_user root
    enable_script_security
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 1
    priority 110
    advert_int 1

    authentication {
        auth_type PASS
        auth_pass secretpass
    }

    virtual_ipaddress {
        192.168.1.1/24
    }

    # Optional: Track interface
    track_interface {
        eth1 weight -50
    }

    # Optional: Notify scripts
    notify_master "/etc/keepalived/notify.sh master"
    notify_backup "/etc/keepalived/notify.sh backup"
    notify_fault "/etc/keepalived/notify.sh fault"
}

Backup Configuration

# /etc/keepalived/keepalived.conf (Router B - Backup)

global_defs {
    router_id ROUTER_B
    script_user root
    enable_script_security
}

vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    virtual_router_id 1
    priority 100
    advert_int 1

    authentication {
        auth_type PASS
        auth_pass secretpass
    }

    virtual_ipaddress {
        192.168.1.1/24
    }
}

Start Keepalived

# Start and enable
sudo systemctl enable keepalived
sudo systemctl start keepalived

# Check status
sudo systemctl status keepalived

# View logs
journalctl -u keepalived -f

# Verify VIP is assigned
ip addr show eth0

Notify Script Example

#!/bin/bash
# /etc/keepalived/notify.sh

TYPE=$1
NAME=$2
STATE=$3

case $STATE in
    "MASTER")
        logger "VRRP: Became MASTER"
        # Add custom actions (start services, etc.)
        ;;
    "BACKUP")
        logger "VRRP: Became BACKUP"
        # Add custom actions
        ;;
    "FAULT")
        logger "VRRP: Entered FAULT state"
        # Alert admin
        ;;
esac

VRRP with Health Checks

# /etc/keepalived/keepalived.conf

vrrp_script check_gateway {
    script "/etc/keepalived/check_gateway.sh"
    interval 2
    weight -50
    fall 3
    rise 2
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 1
    priority 110
    advert_int 1

    authentication {
        auth_type PASS
        auth_pass secretpass
    }

    virtual_ipaddress {
        192.168.1.1/24
    }

    track_script {
        check_gateway
    }
}
#!/bin/bash
# /etc/keepalived/check_gateway.sh

# Check if we can reach the upstream gateway
ping -c 1 -W 1 10.0.0.1 > /dev/null 2>&1
exit $?

HSRP: Hot Standby Router Protocol

How HSRP Works

HSRP is Cisco's proprietary protocol, similar to VRRP but with some differences.

HSRP Facts:

  • Cisco proprietary
  • UDP port 1985
  • Multicast: 224.0.0.2 (v1) or 224.0.0.102 (v2)
  • Virtual MAC: 00:00:0C:07:AC:XX (v1) or 00:00:0C:9F:FX:XX (v2)
  • Default priority: 100 (range 0-255)
  • Hello interval: 3 seconds default

HSRP States

State Description
Initial Starting state
Learn Waiting to hear from active router
Listen Receiving hellos, not active or standby
Speak Participating in election
Standby Backup router, ready to take over
Active Currently forwarding traffic

HSRP Configuration (Cisco)

! Router A (Active)
Router-A(config)# interface GigabitEthernet0/0
Router-A(config-if)# ip address 192.168.1.2 255.255.255.0
Router-A(config-if)# standby version 2
Router-A(config-if)# standby 1 ip 192.168.1.1
Router-A(config-if)# standby 1 priority 110
Router-A(config-if)# standby 1 preempt
Router-A(config-if)# standby 1 timers 1 3

! Router B (Standby)
Router-B(config)# interface GigabitEthernet0/0
Router-B(config-if)# ip address 192.168.1.3 255.255.255.0
Router-B(config-if)# standby version 2
Router-B(config-if)# standby 1 ip 192.168.1.1
Router-B(config-if)# standby 1 priority 100
Router-B(config-if)# standby 1 preempt

! Verify
Router# show standby
Router# show standby brief

HSRP Interface Tracking

! Track upstream interface - reduce priority if it goes down
Router-A(config)# track 1 interface GigabitEthernet0/1 line-protocol

Router-A(config)# interface GigabitEthernet0/0
Router-A(config-if)# standby 1 track 1 decrement 20

GLBP: Gateway Load Balancing Protocol

How GLBP Works

GLBP is unique because it provides load balancing across multiple routers, not just failover.

  • AVG (Active Virtual Gateway): Answers ARP requests, assigns virtual MACs
  • AVF (Active Virtual Forwarder): Actually forwards traffic
           [Internet]
            /     \
    [Router A]   [Router B]
       AVG          AVF
       AVF          AVF
           \     /
        Virtual IP: 192.168.1.1
              |
          [Switch]
         /   |   \
       PC1  PC2  PC3

PC1 gets MAC → Router A
PC2 gets MAC → Router B  ← Load balanced!
PC3 gets MAC → Router A

GLBP Facts:

  • Cisco proprietary
  • UDP port 3222
  • Multicast: 224.0.0.102
  • Supports up to 4 AVFs per group
  • Virtual MAC: 00:07:B4:XX:XX:XX

GLBP Load Balancing Methods

Method Description
Round-robin AVG alternates MACs for each ARP request (default)
Weighted Distribute based on configured weights
Host-dependent Same host always gets same AVF

GLBP Configuration (Cisco)

! Router A (AVG)
Router-A(config)# interface GigabitEthernet0/0
Router-A(config-if)# ip address 192.168.1.2 255.255.255.0
Router-A(config-if)# glbp 1 ip 192.168.1.1
Router-A(config-if)# glbp 1 priority 110
Router-A(config-if)# glbp 1 preempt
Router-A(config-if)# glbp 1 load-balancing round-robin

! Router B
Router-B(config)# interface GigabitEthernet0/0
Router-B(config-if)# ip address 192.168.1.3 255.255.255.0
Router-B(config-if)# glbp 1 ip 192.168.1.1
Router-B(config-if)# glbp 1 priority 100
Router-B(config-if)# glbp 1 preempt
Router-B(config-if)# glbp 1 load-balancing round-robin

! Verify
Router# show glbp
Router# show glbp brief

GLBP Weighted Load Balancing

! Router A - handle 70% of traffic
Router-A(config-if)# glbp 1 load-balancing weighted
Router-A(config-if)# glbp 1 weighting 70

! Router B - handle 30% of traffic
Router-B(config-if)# glbp 1 load-balancing weighted
Router-B(config-if)# glbp 1 weighting 30

Protocol Comparison

Feature VRRP HSRP GLBP
Standard RFC 5798 Cisco Cisco
Load Balancing No No Yes
Default Priority 100 100 100
Hello Interval 1 sec 3 sec 3 sec
Multicast 224.0.0.18 224.0.0.102 224.0.0.102
Authentication Plain/MD5 Plain/MD5 Plain/MD5
Multi-vendor Yes No No

Which to choose?

  • Multi-vendor environment: Use VRRP
  • Cisco-only, simple failover: HSRP or VRRP
  • Cisco-only, need load balancing: GLBP
  • Linux servers: VRRP with Keepalived

Advanced: Multiple Groups for Load Balancing

Even without GLBP, you can achieve load balancing using multiple VRRP/HSRP groups:

! Router A
! Group 1: Master (for half the hosts)
Router-A(config-if)# vrrp 1 ip 192.168.1.1
Router-A(config-if)# vrrp 1 priority 110

! Group 2: Backup (for other half)
Router-A(config-if)# vrrp 2 ip 192.168.1.254
Router-A(config-if)# vrrp 2 priority 100

! Router B
! Group 1: Backup
Router-B(config-if)# vrrp 1 ip 192.168.1.1
Router-B(config-if)# vrrp 1 priority 100

! Group 2: Master
Router-B(config-if)# vrrp 2 ip 192.168.1.254
Router-B(config-if)# vrrp 2 priority 110

! Configure half your hosts with gateway 192.168.1.1
! Configure other half with gateway 192.168.1.254

Troubleshooting

Common Issues

Issue Possible Cause Solution
Both routers become master Authentication mismatch, network issue Check auth config, verify connectivity
No failover Preempt not enabled Enable preempt on higher priority router
Slow failover Long hello/dead timers Reduce timers (careful with CPU)
Constant failover Unstable link, timer mismatch Check physical layer, match timers
VIP not reachable Multicast blocked Allow protocol multicast through switches

Diagnostic Commands

# Cisco - VRRP
show vrrp
show vrrp brief
show vrrp interface Gi0/0
debug vrrp events

# Cisco - HSRP
show standby
show standby brief
debug standby events

# Cisco - GLBP
show glbp
show glbp brief
debug glbp events

# Linux - Keepalived
systemctl status keepalived
journalctl -u keepalived -f
ip addr show
tcpdump -i eth0 vrrp

Summary

Key Takeaways:

  1. Single gateway = single point of failure
  2. VRRP is the open standard, works across vendors, use with Keepalived on Linux
  3. HSRP is Cisco-proprietary, similar to VRRP
  4. GLBP is Cisco-only but provides native load balancing
  5. Preempt allows higher-priority router to reclaim master role
  6. Interface tracking ensures failover when upstream link fails
  7. Use authentication to prevent rogue routers

A redundant gateway setup is essential for any production network. Combined with redundant switches (see Switch Redundancy article), you can build networks that survive hardware failures without any downtime.