First Hop Redundancy
Engineering High-Availability Gateways
The Virtualization of the Gateway
In a standard TCP/IP configuration, a host is assigned a static Default Gateway IP. If that router hardware fails, every host on the subnet loses all off-link connectivity — a fundamental single point of failure in the architecture. FHRP solves this by creating a Virtual IP (VIP) and a corresponding Virtual MAC (VMAC) that are shared between a group of physical routers. Hosts point to the VIP as their gateway; the FHRP protocol elects which physical router currently "owns" that VIP and responds to ARP queries with the VMAC.
Master Election
R1 (Pri 110) is the Master. If R1 fails, R2 (Pri 100) waits for the "Hold Timer" to expire before declaring itself Master.
Gratuitous ARP
Upon failover, R2 sends a GARP. Watch the pulse! This updates the L2 Fabric so frames are steered to the new physical port.
Click the router icons to simulate granular failures.
HSRP vs. VRRP: A Comparative Analysis
While both protocols achieve the same gateway virtualization goal, their implementation, multicast groups, and terminology differ in important ways:
- HSRP (Hot Standby Router Protocol): Cisco-proprietary (standardized in RFC 2281). Uses 'Active' and 'Standby' roles. Hello messages sent to
224.0.0.2every 3 seconds by default, with a 10-second hold timer. HSRPv2 extends group numbers to 0-4095. - VRRP (Virtual Router Redundancy Protocol): Open standard (RFC 5798). Uses 'Master' and 'Backup' roles. Hello messages sent to
224.0.0.18every 1 second by default, with a 3-second master-down interval — giving inherently faster default failover than HSRP.
The router with the highest configured priority becomes the Active/Master and owns the VIP. In the event of a priority tie, the router with the highest physical interface IP address wins the election. Default priority is 100 in both HSRP and VRRP.
Virtual MAC Mechanics
To prevent hosts from needing to clear their ARP caches during a failover (which would cause a brief traffic interruption during ARP refresh), FHRP uses a pre-defined Virtual MAC address that never changes, regardless of which physical router currently holds the Active role:
- HSRP VMAC: (where XX is the HSRP group number in hex).
- VRRP VMAC: (where XX is the VRID in hex).
Object Tracking and WAN-Awareness
A router can be 'healthy' internally — all interfaces up, FHRP hellos exchanged — but have a failed upstream WAN link, making it unable to reach the internet. Without WAN-awareness, FHRP would keep it as the Active gateway, silently blackholing all traffic. Advanced FHRP implementations use Object Tracking to solve this: if the tracked object (upstream interface, IP SLA reachability test) fails, the router automatically decrements its priority by a configured amount, triggering a graceful preemption to the peer that still has internet reach.
By combining sub-second hello timers (100ms/300ms), BFD (Bidirectional Forwarding Detection); for link-failure detection, preemption with delay, and object tracking, modern FHRP deployments achieve gateway failover in under 200 milliseconds — providing uninterrupted service for latency-sensitive applications like VoIP and financial trading systems.