First-Hop Redundancy
What It Is
First-hop redundancy keeps hosts using a stable default gateway IP when one router, switch, firewall, or uplink fails. Classic designs use HSRP, VRRP, or GLBP to present one virtual gateway on a VLAN. Modern campus and data center designs may also use active-active gateways, MLAG/vPC behavior, or EVPN anycast gateway instead of a single active router model.
The real design question is not just "which protocol." It is where the default gateway lives, how failure is detected, what happens to ARP or ND, and whether return traffic stays symmetric enough for the firewall, NAT, and inspection path.
Protocols
| Protocol | Standard | Usual Role | Modern Notes |
|---|---|---|---|
| HSRP | Cisco | Active and standby virtual gateway | Common in Cisco campus and WAN edge designs |
| VRRPv3 | RFC 9568 | Active and backup virtual router | Open standard for IPv4 and IPv6 |
| GLBP | Cisco | Gateway redundancy with host load sharing | Mostly legacy, less common in modern designs |
| Anycast gateway | Vendor design pattern | Same gateway IP and MAC on many switches | Common with EVPN/VXLAN fabrics |
Modern note: VRRPv3 is the current VRRP reference for IPv4 and IPv6. Older VRRPv2 references were IPv4-only.
Addressing And MAC Behavior
| Item | What It Means |
|---|---|
| Virtual IP | Default gateway configured on hosts |
| Virtual MAC | MAC address hosts learn for the gateway |
| Active router | Device currently forwarding for the virtual gateway |
| Standby or backup | Device ready to take over |
| Owner | VRRP router using its real interface IP as the virtual IP |
| Preempt | Higher-priority router can retake active role after recovery |
| Tracking | Reduces priority when an uplink, route, or object fails |
Watch out: FHRP protects the first hop. It does not automatically prove the upstream path is healthy. Track the path that actually matters.
Comparison
| Feature | HSRP | VRRPv3 | GLBP |
|---|---|---|---|
| Multi-vendor | No | Yes | No |
| IPv4 | Yes | Yes | Yes |
| IPv6 | Yes, with modern HSRP versions | Yes | Platform-dependent |
| Load sharing | By VLAN or group design | By VLAN or group design | Built into protocol |
| Default preempt | No | Often yes by protocol behavior | No |
| Common multicast | 224.0.0.2 or 224.0.0.102 | 224.0.0.18 and ff02::12 | 224.0.0.102 |
| Common transport | UDP/1985 | IP protocol 112 | UDP/3222 |
Design note: In most networks, active-active by VLAN or anycast gateway is easier to operate than GLBP host load sharing.
State Model
| Protocol | Main States | Meaning |
|---|---|---|
| HSRP | Initial, listen, speak, standby, active | One active forwards, one standby waits |
| VRRP | Initialize, backup, active | Active owns the virtual router responsibility |
| GLBP | AVG and AVF roles | AVG answers ARP, AVFs forward for assigned virtual MACs |
Design Choices
| Choice | Recommendation |
|---|---|
| Virtual gateway IP | Use a stable address, commonly .1 or .254, and document it |
| Active placement | Align with STP root, firewall path, or preferred uplink |
| VLAN pairs | Split active gateways by VLAN only when it matches real traffic patterns |
| Timers | Tune only when the LAN and CPU can handle it |
| Preempt | Enable deliberately with tracking and a sane delay |
| Authentication | Use FHRP authentication where supported |
| Filtering | Block FHRP packets from untrusted access ports |
| IPv6 | Treat RA, ND, DHCPv6, and FHRP as one gateway design |
Watch out: Fast timers can create faster failover and faster instability. Measure convergence instead of assuming lower timers are better.
Modern Data Center Note
EVPN/VXLAN fabrics commonly use anycast gateway. Each leaf switch has the same gateway IP and virtual MAC for a VLAN or bridge domain, so hosts can forward to the local leaf. This removes classic active/standby first-hop behavior inside the fabric, but it adds control-plane dependencies: EVPN route advertisements, MAC/IP learning, duplicate address detection, and consistent anycast MAC configuration.
Anycast gateway is not a drop-in replacement for HSRP at every edge. Firewalls, service insertion, NAT, and asymmetric traffic still need deliberate design.
Cisco IOS/IOS-XE Examples
HSRP with tracking:
interface GigabitEthernet1/0/10
description Users VLAN 10 routed gateway
ip address 10.10.10.2 255.255.255.0
standby version 2
standby 10 ip 10.10.10.1
standby 10 priority 110
standby 10 preempt delay minimum 30
standby 10 authentication md5 key-string ExampleKey
standby 10 track GigabitEthernet1/0/48 decrement 30VRRPv3 style gateway:
interface GigabitEthernet1/0/20
description Servers VLAN 20 routed gateway
ip address 10.10.20.2 255.255.255.0
vrrp 20 address-family ipv4
address 10.10.20.1 primary
priority 110
preempt delay minimum 30
track 1 decrement 30Object tracking:
track 1 ip route 0.0.0.0 0.0.0.0 reachabilityLegacy GLBP pattern:
interface GigabitEthernet1/0/30
description Legacy GLBP VLAN 30
ip address 10.10.30.2 255.255.255.0
glbp 30 ip 10.10.30.1
glbp 30 priority 110
glbp 30 preempt
glbp 30 load-balancing host-dependent
glbp 30 weighting 110 lower 90 upper 105Notes:
- Syntax varies by platform and release. Verify the exact command form before pasting into production.
- Use documentation addresses only as examples. Replace interface names, VLANs, keys, and tracking objects.
- If the gateway is on an SVI, align the FHRP design with the Layer 2 topology.
Troubleshooting
| Symptom | Check | Likely Cause |
|---|---|---|
| Hosts lose gateway during failover | ARP/ND, timers, state, switch MAC table | Failover slow or virtual MAC not learned |
| Both routers active | L2 adjacency, FHRP filtering, VLAN trunk | Split brain on the VLAN |
| Wrong router is active | Priority, preempt, tracking | Config does not match intended role |
| Failover does not happen | Track object, uplink state, route state | Only the local interface is being watched |
| Flapping active role | Timer tuning, CPU, packet loss, preempt | Unstable hellos or unstable tracking |
| Firewall sessions break | Symmetry and return path | New active gateway changes traffic path |
| IPv6 clients behave differently | RA, ND, FHRP IPv6 support | IPv6 gateway design does not match IPv4 |
Commands
show standby brief
show standby
show vrrp brief
show vrrp
show glbp brief
show glbp
show track brief
show ip arp 10.10.10.1
show mac address-table address <virtual-mac>
show logging | include HSRP|VRRP|GLBP|TRACKExpected clues:
- Exactly one active router exists for each classic FHRP group.
- Priority and preempt behavior match the intended active device.
- Track objects change state when the real upstream path fails.
- Hosts resolve the virtual gateway to the expected virtual MAC.
- Access ports do not accept rogue FHRP advertisements.
Watch Out
- Do not rely on FHRP if both devices share the same failed uplink.
- Do not tune subsecond timers without testing CPU, control-plane policing, and packet loss.
- Do not forget IPv6 router advertisements when dual-stack hosts use the VLAN.
- Do not assume GLBP gives useful load balancing for modern campus designs.
- Do not let untrusted hosts send FHRP advertisements.
- Do not ignore firewall state and NAT when gateway failover changes the path.