VRRP & GLBP – Gateway Redundancy, Election, Load Balancing & Configuration

1. Why First Hop Redundancy Matters

Every host on a subnet has a single configured default gateway — the router it sends all off-subnet traffic to. If that router fails, the host has no route out of the subnet and loses all external connectivity, even if a second router is physically present and operational.

  Without FHRP:
  PC (GW: 192.168.1.1)
       |
  [R1: 192.168.1.1]  <-- FAILS
  [R2: 192.168.1.2]  <-- idle; PC cannot use it (GW is hardcoded)
  Result: PC offline until admin manually reconfigures GW or R1 recovers.

  With FHRP (VRRP / HSRP / GLBP):
  PC (GW: 192.168.1.254) -- virtual IP shared by R1 and R2
       |
  [R1: real 192.168.1.1, virtual 192.168.1.254] <-- MASTER/ACTIVE
  [R2: real 192.168.1.2, virtual 192.168.1.254] <-- BACKUP/STANDBY
  R1 FAILS:
  [R2 detects failure, assumes virtual IP within seconds]
  PC ARP cache still has virtual MAC -> traffic automatically redirects to R2.
  PC is unaware any failure occurred.

2. FHRP Comparison — HSRP vs VRRP vs GLBP

Feature	HSRP	VRRP	GLBP
Standard	Cisco proprietary	IETF open standard (RFC 5798)	Cisco proprietary
IPv4 support	Yes (v1 and v2)	Yes (v2 and v3)	Yes
IPv6 support	Yes (v2 only)	Yes (v3 only)	Yes
Load balancing	No (only one active router per group)	No (only one Master per group; multi-group workaround)	Yes — true simultaneous load balancing across all routers
Virtual IP = real IP?	No — virtual IP cannot match a physical interface IP	Yes — virtual IP CAN match the Master's real interface IP (Master IP owner gets priority 255 automatically)	No — virtual IP is separate from all physical IPs
Virtual MAC format	00-00-0C-07-AC-XX (v1) 00-00-0C-9F-FX-XX (v2)	00-00-5E-00-01-XX (VRID in hex)	00-07-B4-00-01-XX (AVF number in hex)
Default hello/advert interval	3 sec Hello, 10 sec Hold	1 sec Advertisement	3 sec Hello, 10 sec Hold
Preemption	Disabled by default (must enable)	Enabled by default	Disabled by default (must enable)
Default priority	100	100	100 (AVG election)
Priority range	0–255 (active = highest)	1–254 (Master = highest; 255 = IP owner)	1–255 (AVG = highest)
Authentication	Plaintext or MD5 (v2)	Plaintext (v2 only, deprecated); MD5 via key-chain (v3)	MD5
Multicast address	224.0.0.2 (v1), 224.0.0.102 (v2)	224.0.0.18	224.0.0.102

3. VRRP — Virtual Router Redundancy Protocol

VRRP (RFC 5798) is the open-standard FHRP supported by virtually all vendors. It creates a Virtual Router with a shared virtual IP and virtual MAC address. One router is the Master and owns the virtual IP; the others are Backups waiting to take over.

VRRP Key Terms

Term	Definition
VRID	Virtual Router Identifier (1–255). Identifies a VRRP group. Multiple VRIDs can run on the same interface for load-sharing.
Master Router	Currently forwards traffic for the virtual IP. Sends Advertisement messages.
Backup Router	Listens for Advertisements. Steps up to Master if no Advertisement received within Master Down Interval.
Virtual IP	The default gateway IP configured on hosts. May match the Master's real interface IP (IP owner).
Virtual MAC	00-00-5E-00-01-{VRID}. Hosts ARP for the virtual IP and receive this MAC as the gateway MAC.
IP Owner	Router whose real interface IP matches the virtual IP. Automatically assigned priority 255 — always becomes Master.
Advertisement	Multicast packet (to 224.0.0.18) sent by Master every Advertisement Interval. Signals Master is alive.
Master Down Interval	Time Backup waits before declaring Master dead: (3 × Advertisement Interval) + Skew Time. Default ≈ 3.6 sec.

4. VRRP Election — How Master Is Selected

  VRRP Master election:

  Step 1 — Compare priority:
  Highest priority wins (range 1–254; default 100)
  Priority 255 reserved for IP Owner (virtual IP = interface IP)

  Step 2 — Tiebreaker (equal priority):
  Highest interface IP address wins

  Example:
  R1: vrrp 1 ip 192.168.10.254, priority 120, real IP 192.168.10.1
  R2: vrrp 1 ip 192.168.10.254, priority 100, real IP 192.168.10.2
  R3: vrrp 1 ip 192.168.10.254, priority 100, real IP 192.168.10.3

  R1 wins (priority 120 > 100) -> R1 is Master
  R3 is first Backup (priority tied with R2; R3 has higher IP 192.168.10.3)
  R2 is second Backup

  Special case -- IP Owner:
  R4: vrrp 1 ip 192.168.10.4 (virtual IP = real IP 192.168.10.4)
  R4 gets priority 255 automatically -> ALWAYS wins election
  Even if you configure lower priority, IP Owner gets 255

  Preemption (default ON in VRRP):
  If R2 was Master (R1 was down) and R1 comes back:
  R1 (priority 120) > R2 (priority 100) -> R1 immediately preempts and takes Master
  This happens without delay -- VRRP preempts by default (unlike HSRP)

5. VRRP States

State	Description	Traffic Forwarding?
Initialize	VRRP is starting up; waiting for startup event (interface up, VRRP config applied). Not yet participating in election.	No
Backup	Listening for Advertisement messages from Master. Ready to assume Master role if Master Down Interval expires.	No
Master	Forwarding traffic for the virtual IP. Sending Advertisement messages at Advertisement Interval. Responding to ARP for virtual IP with virtual MAC.	Yes

  VRRP state transitions:

  Initialize
      |
      | (interface comes up / VRRP configured)
      v
  Backup ----[no Advert received in Master Down Interval]----> Master
      ^                                                           |
      |                                                           |
      +---[higher-priority Master Advertisement received]--------+
      (preempted: step down from Master to Backup)

6. VRRPv2 vs VRRPv3

Feature	VRRPv2 (RFC 3768)	VRRPv3 (RFC 5798)
IPv4 support	Yes	Yes
IPv6 support	No	Yes — uses link-local as source
Advertisement interval precision	1-second granularity (integer seconds)	Centisecond precision (sub-second timers)
Authentication	Plaintext (Type 1) — deprecated; not secure	No built-in auth; use IPsec or key-chain MD5 on Cisco
Multicast address	224.0.0.18	224.0.0.18 (IPv4); FF02::12 (IPv6)
Cisco IOS config keyword	Default on older IOS	Requires `vrrp version 3` or `fhrp version vrrp v3`

7. VRRP Configuration — Cisco IOS

! ── Basic VRRP (Master router — higher priority) ─────────────────────────
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip address 192.168.10.1 255.255.255.0
R1(config-if)# vrrp 1 ip 192.168.10.254         ! Virtual IP (group 1)
R1(config-if)# vrrp 1 priority 120              ! Higher priority = Master
R1(config-if)# vrrp 1 preempt                   ! Take back Master on recovery (default ON)
R1(config-if)# vrrp 1 timers advertise 1        ! Advertisement every 1 sec (default)
R1(config-if)# vrrp 1 description PRIMARY_GW

! ── Backup router (lower priority) ─────────────────────────────────────────
R2(config)# interface GigabitEthernet0/0
R2(config-if)# ip address 192.168.10.2 255.255.255.0
R2(config-if)# vrrp 1 ip 192.168.10.254         ! Same virtual IP, same VRID
R2(config-if)# vrrp 1 priority 100              ! Default; stays Backup
R2(config-if)# vrrp 1 preempt

! ── Enable VRRPv3 (required for IPv6 or sub-second timers) ─────────────────
R1(config)# fhrp version vrrp v3
R1(config)# interface GigabitEthernet0/0
R1(config-if)# vrrp 1 address-family ipv4
R1(config-if-vrrp)# address 192.168.10.254 primary
R1(config-if-vrrp)# priority 120
R1(config-if-vrrp)# preempt

! ── Authentication (VRRPv2 plaintext -- use only in trusted networks) ──────
R1(config-if)# vrrp 1 authentication text MySecret

! ── Object tracking (reduce priority if uplink fails) ─────────────────────
R1(config)# track 1 interface GigabitEthernet0/1 line-protocol
R1(config-if)# vrrp 1 track 1 decrement 30
! If Gi0/1 goes down: R1 priority drops from 120 to 90 (below R2's 100)
! R2 preempts and takes over -- prevents blackholing if R1's WAN link fails

8. VRRP Load-Sharing with Multiple Groups

VRRP itself does not load-balance — only one Master forwards per group. However, you can run multiple VRRP groups on the same interface, making each router the Master for a different group. Hosts are split between the groups.

  Two VRRP groups on the same subnet:

  R1: real IP 192.168.10.1
  R2: real IP 192.168.10.2

  VRRP Group 1: Virtual IP 192.168.10.253
    R1: priority 120 -> MASTER for group 1
    R2: priority 100 -> Backup for group 1

  VRRP Group 2: Virtual IP 192.168.10.254
    R2: priority 120 -> MASTER for group 2
    R1: priority 100 -> Backup for group 2

  Hosts configured:
  Finance PCs: default gateway 192.168.10.253 (served by R1)
  HR PCs:      default gateway 192.168.10.254 (served by R2)

  Result: R1 handles Finance traffic; R2 handles HR traffic.
  If R1 fails: R2 takes over group 1 (redundancy maintained).
  If R2 fails: R1 takes over group 2 (redundancy maintained).
  Both links active simultaneously -- bandwidth utilised.

! Configure VRRP load-sharing on R1:
R1(config-if)# vrrp 1 ip 192.168.10.253
R1(config-if)# vrrp 1 priority 120      ! Master for group 1
R1(config-if)# vrrp 2 ip 192.168.10.254
R1(config-if)# vrrp 2 priority 100      ! Backup for group 2

! Configure VRRP load-sharing on R2:
R2(config-if)# vrrp 1 ip 192.168.10.253
R2(config-if)# vrrp 1 priority 100      ! Backup for group 1
R2(config-if)# vrrp 2 ip 192.168.10.254
R2(config-if)# vrrp 2 priority 120      ! Master for group 2

9. Verifying VRRP

! ── Show VRRP status ─────────────────────────────────────────────────────
R1# show vrrp
GigabitEthernet0/0 - Group 1
  State is Master
  Virtual IP address is 192.168.10.254
  Virtual MAC address is 0000.5e00.0101    <-- 00-00-5E-00-01-{VRID=1}
  Advertisement interval is 1000 msec
  Preemption is enabled
  Priority is 120
  Master Router is 192.168.10.1, priority is 120
  Master Advertisement interval is 1000 msec
  Master Down interval is 3609 msec

! ── Show brief format ─────────────────────────────────────────────────────
R1# show vrrp brief
Interface     Grp  Pri  Time  Own Pre State    Master addr    Group addr
Gi0/0         1    120  3609       Y  Master   192.168.10.1   192.168.10.254

! On the Backup router:
R2# show vrrp brief
Gi0/0         1    100  3609       Y  Backup   192.168.10.1   192.168.10.254
                                                ^--- Master is still R1

! ── Debug VRRP events ────────────────────────────────────────────────────
R1# debug vrrp events
VRRP: Gi0/0 Grp 1 Advertisement from 192.168.10.2 priority 100
VRRP: Gi0/0 Grp 1 Rcvd lower pri (100 < 120) from 192.168.10.2 -- ignoring

10. GLBP — Gateway Load Balancing Protocol

GLBP is Cisco's proprietary FHRP that solves the HSRP/VRRP limitation of one active router per group. GLBP uses a single virtual IP but multiple virtual MAC addresses — one per forwarding router — allowing all routers to actively forward traffic simultaneously.

  GLBP architecture (4 routers, single virtual IP):

  Hosts configured with GW: 192.168.20.254 (single virtual IP)

  GLBP Group 1:
  R1 [AVG + AVF1]: real 192.168.20.1, virtual MAC 0007.b400.0101
  R2 [AVF2]:       real 192.168.20.2, virtual MAC 0007.b400.0102
  R3 [AVF3]:       real 192.168.20.3, virtual MAC 0007.b400.0103
  R4 [AVF4]:       real 192.168.20.4, virtual MAC 0007.b400.0104

  ARP process:
  PC-A ARPs for 192.168.20.254 -> AVG (R1) replies with MAC 0007.b400.0101 -> PC-A uses R1
  PC-B ARPs for 192.168.20.254 -> AVG (R1) replies with MAC 0007.b400.0102 -> PC-B uses R2
  PC-C ARPs for 192.168.20.254 -> AVG (R1) replies with MAC 0007.b400.0103 -> PC-C uses R3

  Each host uses a different physical router, but ALL see the same virtual IP!
  ALL four routers forward traffic simultaneously = true load balancing.

GLBP Roles

Role	Full Name	Responsibilities	How Many Per Group
AVG	Active Virtual Gateway	Manages the group: responds to ARP requests for the virtual IP by distributing virtual MAC addresses per load-balancing method. Elected by highest priority (then highest real IP as tiebreaker).	One (plus one SVG standby)
SVG	Secondary Virtual Gateway	Standby backup to the AVG. Takes over AVG role if AVG fails.	One
AVF	Active Virtual Forwarder	Actively forwards traffic for its assigned virtual MAC address. Every router in the group (including the AVG) is also an AVF.	Up to 4 per group
SVF	Secondary Virtual Forwarder	Backup to an AVF. Takes over the AVF's virtual MAC if that AVF fails.	One per AVF

11. GLBP Load-Balancing Methods

Method	How It Works	Best For
Round-Robin (default)	AVG assigns virtual MACs to ARP requests in rotation: first request gets MAC1, second gets MAC2, third gets MAC3, fourth gets MAC1 again, and so on.	Equal distribution when all hosts generate similar traffic volumes. Simple and predictable.
Host-Dependent	Each host (identified by source MAC) always gets the same virtual MAC. The assignment is consistent across ARP renewals, so a host always uses the same router.	Applications requiring session persistence (stateful firewalls, ICAP proxies). Host always returns to the same gateway after ARP timeout.
Weighted	AVFs receive proportional traffic based on configured weight values. A router with weight 200 handles twice as much traffic as one with weight 100.	Environments with unequal router capacities — send more traffic to higher-spec routers, less to lighter hardware.

  Round-Robin example (3 AVFs):
  Request 1: AVG replies with MAC 0007.b400.0101 -> PC-A routes via R1
  Request 2: AVG replies with MAC 0007.b400.0102 -> PC-B routes via R2
  Request 3: AVG replies with MAC 0007.b400.0103 -> PC-C routes via R3
  Request 4: AVG replies with MAC 0007.b400.0101 -> PC-D routes via R1
  (cycle repeats)

  Weighted example (R1 weight 150, R2 weight 100, R3 weight 50):
  Total weight = 300; each router gets proportional share of ARP responses
  R1: 50% of clients (150/300)
  R2: 33% of clients (100/300)
  R3: 17% of clients (50/300)

12. GLBP Configuration — Cisco IOS

! ── Basic GLBP configuration (R1 — AVG) ───────────────────────────────────
R1(config)# interface GigabitEthernet0/0
R1(config-if)# ip address 192.168.20.1 255.255.255.0
R1(config-if)# glbp 1 ip 192.168.20.254          ! Virtual IP for group 1
R1(config-if)# glbp 1 priority 150               ! Highest priority = AVG
R1(config-if)# glbp 1 preempt                    ! Reclaim AVG after recovery
R1(config-if)# glbp 1 load-balancing round-robin  ! Default; rotate MACs
R1(config-if)# glbp 1 authentication md5 key-string SECRET  ! MD5 auth
R1(config-if)# glbp 1 weighting 150              ! Weight for weighted LB
R1(config-if)# glbp 1 name MAIN_GW               ! Optional name

! ── R2 (AVF2 -- lower priority, participates in forwarding) ───────────────
R2(config)# interface GigabitEthernet0/0
R2(config-if)# ip address 192.168.20.2 255.255.255.0
R2(config-if)# glbp 1 ip 192.168.20.254          ! Same virtual IP, same group
R2(config-if)# glbp 1 priority 100               ! Backup AVG if R1 fails
R2(config-if)# glbp 1 preempt
R2(config-if)# glbp 1 load-balancing round-robin
R2(config-if)# glbp 1 authentication md5 key-string SECRET
R2(config-if)# glbp 1 weighting 100

! ── Weighted load balancing (all routers) ─────────────────────────────────
! Configure on each router's interface:
! R1: glbp 1 weighting 200         (handles 2x the traffic of R3)
! R2: glbp 1 weighting 150
! R3: glbp 1 weighting 100

! Change load balancing method to host-dependent:
R1(config-if)# glbp 1 load-balancing host-dependent

! ── Track uplink -- reduce weight if WAN fails ────────────────────────────
R1(config)# track 10 interface GigabitEthernet0/1 line-protocol
R1(config-if)# glbp 1 weighting 200 lower 100 upper 150
! If tracked object goes down: weight drops below lower threshold
! AVG removes this AVF from forwarding; another AVF takes its traffic

13. Verifying GLBP

! ── Show GLBP status ─────────────────────────────────────────────────────
R1# show glbp
GigabitEthernet0/0 - Group 1
  State is Active
    1 state change, last state change 00:15:32
  Virtual IP address is 192.168.20.254
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.024 secs
  Redirect time 600 sec, forwarder time-out 14400 sec
  Preemption enabled, min delay 0 sec
  Active is local
  Standby is 192.168.20.2, priority 100 (expires in 8.960 sec)
  Priority 150 (configured)
  Weighting 200 (configured 200), thresholds: lower 100, upper 150
  Load balancing: round-robin
  Group members:
    aabb.cc00.0100 (192.168.20.1) local
    aabb.cc00.0200 (192.168.20.2)
  There are 2 forwarders (1 active)
  Forwarder 1
    State is Active
      1 state change, last state change 00:15:32
    MAC address is 0007.b400.0101 (default)  <-- Virtual MAC for AVF1
    Owner ID is aabb.cc00.0100
    Redirection enabled
    Preemption enabled, min delay 30 sec
    Active is local, weighting 200
  Forwarder 2
    State is Active
      1 state change, last state change 00:15:28
    MAC address is 0007.b400.0102 (default)  <-- Virtual MAC for AVF2
    Owner ID is aabb.cc00.0200
    Active is 192.168.20.2, weighting 100

! ── Brief format ──────────────────────────────────────────────────────────
R1# show glbp brief
Interface   Grp  Fwd Pri  State    Ident          Weight   AVG VIP
Gi0/0       1    -   150  Active   192.168.20.1   200      Yes 192.168.20.254
Gi0/0       1    1   -    Active   192.168.20.1   -        -   -
Gi0/0       1    2   -    Active   192.168.20.2   -        -   -

14. Troubleshooting VRRP and GLBP

Symptom	Likely Cause	Diagnostic Command	Fix
Two Masters / two AVGs (split-brain)	Authentication mismatch; network partition preventing multicast exchange; different VRID/group on each router	`show vrrp / show glbp` on each router; check if both show "Master"/"Active"	Verify same VRID/group, same virtual IP, same authentication key on both routers
Backup/Standby never takes over on failure	Master Down Interval too long; preemption disabled on backup; multicast blocked by ACL	`show vrrp detail`; `debug vrrp events`	Verify timers match on both routers; check ACLs for 224.0.0.18 (VRRP) or 224.0.0.102 (GLBP); enable preempt if needed
Hosts still sending to failed router (stale ARP)	PC ARP cache still maps virtual IP to old path; FHRP uses same virtual MAC so this should auto-resolve	`arp -a` on PC; check virtual MAC consistency	FHRP should be transparent (same virtual MAC persists); if hosts still fail, check virtual MAC is identical on both routers for same group
GLBP load balancing uneven	Host-dependent mode (hosts always use same router); few hosts with long ARP cache times;	`show glbp` — check forwarder statistics	Switch to round-robin; reduce ARP timeout; or use weighted to match router capacities
VRRP/GLBP neighbour not forming	Authentication mismatch; interface not in same subnet; multicast blocked; wrong group number	`debug vrrp events` / `debug glbp events`	Verify auth key, same group number, same virtual IP, reachable multicast (no ACL blocking)

15. Key Points & Exam Tips

FHRP purpose: Eliminate single point of failure for the default gateway by sharing a virtual IP across multiple routers.
VRRP is the open standard (RFC 5798); HSRP and GLBP are Cisco proprietary. Use VRRP in multi-vendor environments.
VRRP election: Highest priority (1–254) wins. Tiebreaker = highest IP. Priority 255 is automatically assigned to the IP Owner (router whose real IP = virtual IP). VRRP preempts by default.
VRRP virtual MAC: 00-00-5E-00-01-{VRID in hex}. For VRID 1 = 00-00-5E-00-01-01.
VRRPv2 = IPv4 only; 1-second timers; plaintext auth (deprecated). VRRPv3 = IPv4 + IPv6; sub-second timers; MD5 auth via key-chain.
VRRP load-sharing requires multiple groups per subnet — different virtual IPs per group with different Masters. Hosts split between gateway IPs.
GLBP uses one virtual IP but multiple virtual MACs — the AVG hands out different virtual MACs to different hosts so all AVFs forward simultaneously. True active-active load balancing.
GLBP AVG = Active Virtual Gateway — manages the group, responds to ARP requests, distributes virtual MACs. GLBP AVF = Active Virtual Forwarder — forwards traffic for its virtual MAC. Every router is an AVF; one is also the AVG.
GLBP load-balancing methods: Round-Robin (rotate MACs, default), Host-Dependent (same MAC per host always), Weighted (proportional by configured weight).
Object tracking in both VRRP and GLBP: tracks an uplink or route; reduces priority/weight if tracked object fails, causing an automatic handover to the router with the better uplink.

16. VRRP & GLBP Quiz

1. A network has two routers (R1 and R2) connected to the same LAN segment. R1 has VRRP priority 120, R2 has priority 100. Both run VRRP group 1. R1 fails. After R1 recovers, what happens without any additional configuration, and why?

A. R2 remains Master permanently — preemption must be manually triggered B. A new election runs and R2 keeps Master because it has been Master longer C. R1 immediately reclaims Master because VRRP preemption is enabled by default — when R1 returns, it sees R2 advertising with priority 100, which is lower than R1's 120, and immediately takes back Master D. Both R1 and R2 become Master simultaneously (split-brain)

Correct answer is C. VRRP enables preemption by default — this is a key difference from HSRP, where preemption is disabled by default and must be explicitly configured with standby X preempt. When R1 recovers and comes back online, it enters the Initialize state, transitions to Backup, and then listens to the current Master's (R2's) Advertisement messages. R1 sees that R2 is advertising with priority 100, which is lower than R1's own priority of 120. Because preemption is on by default, R1 immediately sends its own Advertisement claiming Master with priority 120 and preempts R2. R2 drops back to Backup state. R1 resumes as Master. This automatic preemption is why it's important to set up tracking alongside VRRP — if R1's WAN uplink is down when it comes back, you don't want it preempting R2 (which has a working WAN link). Use object tracking to prevent preemption when uplinks are down.

2. An engineer configures VRRP group 1 on router R1 with the command `vrrp 1 ip 192.168.10.1`. R1's real interface IP is also 192.168.10.1. What special role does R1 automatically receive, and what priority is automatically assigned?

A. R1 becomes Backup with priority 100 B. R1 becomes the IP Owner and automatically receives priority 255 — the highest possible VRRP priority. This guarantees R1 is always Master for this group as long as it is up C. R1 receives priority 200 and becomes AVG D. The configuration is rejected — virtual IP cannot match a physical interface IP

Correct answer is B. VRRP has a concept called the "IP Owner" — the router whose real interface IP address matches the VRRP virtual IP address. When the virtual IP and the physical interface IP are identical, VRRP automatically assigns that router priority 255. This is the maximum VRRP priority (the valid configurable range is 1–254; priority 255 is reserved for the IP Owner and cannot be configured manually). Priority 255 guarantees the IP Owner always wins the Master election — no other router can have a higher priority. This is the key difference between VRRP and HSRP: in HSRP, the virtual IP must be different from any real interface IP. In VRRP, the virtual IP CAN match the Master's real IP, which is often the simplest design — you don't need an extra IP address for the virtual IP when you already have a physical IP assigned.

3. A network engineer is asked to provide gateway redundancy AND utilise both uplinks simultaneously in a Cisco-only environment. They have two routers with equal capacity. Which FHRP should be used and why is the alternative insufficient?

A. VRRP with two groups — this provides load balancing identical to GLBP B. HSRP — it supports load balancing natively C. VRRP — it is open standard and provides true load balancing D. GLBP — the only FHRP that provides true simultaneous active-active load balancing with a single virtual IP. VRRP multi-group requires hosts to be split across different virtual IPs (manual configuration). GLBP uses one virtual IP with multiple virtual MACs, automatically distributing hosts across all active forwarders

Correct answer is D. GLBP is the correct choice when you need both redundancy AND genuine load balancing in a Cisco environment. Here is why the alternatives are insufficient: HSRP — only one Active router per group; standby router sits idle. Two HSRP groups can simulate load balancing but requires configuring different virtual IPs and manually splitting hosts between them. VRRP — same limitation as HSRP (one Master per group). Multi-group VRRP load-sharing works but requires different virtual IPs per group and manual host split — not automatic, not scalable, requires reconfiguration when hosts change. GLBP — single virtual IP, multiple virtual MACs. The AVG automatically distributes hosts across all AVFs using round-robin, host-dependent, or weighted algorithms. No manual host splitting required. All routers actively forward simultaneously. Failover is automatic when an AVF fails (the AVG stops assigning its virtual MAC; its SVF takes over). The Cisco-only constraint eliminates VRRP as a preferred choice (though VRRP would work technically).

4. What is the VRRP virtual MAC address for VRID 5, and what does each portion of the address signify?

A. 00-00-5E-00-01-05. The first three bytes (00-00-5E) are the IANA/IETF OUI assigned for VRRP. 00-01 identifies this as a VRRP IPv4 MAC. The last byte (05) is the VRID (5) in hex. B. 00-00-0C-07-AC-05 — the HSRP MAC format C. 00-07-B4-00-01-05 — the GLBP MAC format D. 00-00-5E-00-05-01 — VRID and group reversed

Correct answer is A. The VRRP virtual MAC format is strictly defined: 00-00-5E-00-01-{VRID}. Breaking it down: 00-00-5E is the OUI (Organizationally Unique Identifier) assigned by IANA to VRRP. The 00-01 in bytes 4-5 indicates this is a VRRPv2/v3 IPv4 virtual MAC (00-02 would be for IPv6). The final byte is the VRID expressed as a single hexadecimal byte. For VRID 1: 00-00-5E-00-01-01. For VRID 5: 00-00-5E-00-01-05. For VRID 10: 00-00-5E-00-01-0A (hexadecimal A = decimal 10). For VRID 255: 00-00-5E-00-01-FF. This virtual MAC stays constant regardless of which physical router is currently the Master — all routers in the group use this same virtual MAC, so ARP caches on hosts remain valid even after a failover. Hosts never need to re-ARP when the Master changes because the virtual MAC doesn't change. This is the fundamental mechanism that makes FHRP failover transparent to end hosts.

5. In a GLBP group, R1 is the AVG and R1, R2, R3 are all AVFs using round-robin load balancing. R2 (AVF2) fails. What happens to clients that currently have R2's virtual MAC (0007.b400.0102) in their ARP cache?

A. Clients lose connectivity permanently until they manually clear their ARP cache B. AVG sends ARP replies changing clients to use the real IP of R3 C. The SVF (Secondary Virtual Forwarder) for AVF2 takes over the 0007.b400.0102 virtual MAC address. Clients with that MAC in their ARP cache continue forwarding — the same virtual MAC now points to a different physical router. Clients are unaware of the failure D. New ARP requests go to AVG which now returns only R1 and R3 virtual MACs; R2 MAC is retired

Correct answer is C. GLBP maintains transparency during AVF failures through the SVF (Secondary Virtual Forwarder) mechanism. Each AVF has a designated SVF — a backup router ready to take over a specific virtual MAC address if the AVF owning it fails. When R2 (AVF2) fails, the SVF for AVF2 detects the failure (R2 stops sending Hello messages within the hold time). The SVF then assumes the virtual MAC address 0007.b400.0102 — it starts responding to frames destined for that MAC. Clients that previously sent traffic to R2 via MAC 0007.b400.0102 now have their frames received by the SVF instead. From the clients' perspective, nothing changed — the same virtual MAC in their ARP cache still leads to a working router. The AVG also eventually updates its round-robin distribution to stop assigning 0007.b400.0102 to new ARP requests (or redirects to working AVFs). This is GLBP's active-active failover — unlike VRRP where only the Master forwards, GLBP's SVF mechanism ensures every virtual MAC has a backup, so no single AVF failure causes client traffic loss.

6. A router is configured with VRRP and object tracking. The relevant commands are:
`track 1 interface Gi0/1 line-protocol`
`vrrp 1 priority 120`
`vrrp 1 track 1 decrement 30`
The other router has VRRP priority 100. What happens when Gi0/1 goes down on the tracked router?

A. This router immediately fails over to Backup state and shuts down Gi0/0 B. This router's VRRP priority drops from 120 to 90 (120 - 30 = 90). Since 90 < 100 (the other router's priority), and preemption is on by default, the other router wins the election and becomes Master — preventing traffic being sent to a router with no WAN uplink C. This router's priority increases by 30 to encourage failover D. VRRP disables itself on this router when the tracked interface fails

Correct answer is B. Object tracking integrated with VRRP solves the "blackhole" problem: if a router is VRRP Master but its WAN uplink (Gi0/1) goes down, it still appears healthy to the LAN — VRRP advertises normally because the LAN interface (Gi0/0) is still up. Without tracking, clients send traffic to the VRRP Master which then drops it (no WAN link). With object tracking: track 1 interface Gi0/1 line-protocol monitors the WAN interface state. vrrp 1 track 1 decrement 30 reduces the router's VRRP priority by 30 when the tracked object goes down. Priority change: 120 - 30 = 90. Now this router's VRRP priority (90) is lower than the other router's (100). Since VRRP preempts by default, the other router (priority 100) immediately assumes Master role. LAN clients now use the backup router which has a working WAN uplink. The decrement value must be chosen carefully: large enough that the tracked router's new priority falls BELOW the backup's priority, or the failover won't happen.

7. An engineer configures VRRP on R1 and R2 but they cannot form a neighbour relationship. `debug vrrp events` shows R1 discarding R2's Advertisements. What is the most likely cause?

A. R1 and R2 have different VRRP priorities B. VRRP is only supported on Ethernet interfaces C. R1 has the wrong virtual IP configured D. Authentication mismatch — R1 and R2 have different authentication keys or one has auth configured and the other does not. VRRP discards Advertisements that fail authentication checks

Correct answer is D. When debug vrrp events shows "Advertisement discarded" or similar messages, the most common cause is an authentication mismatch. VRRP (v2) supports plaintext authentication. If R1 has vrrp 1 authentication text MyKey but R2 has either no authentication or a different key, R1 will receive R2's Advertisements, verify the authentication field, find it does not match, and silently discard the Advertisement. From R1's perspective, R2 is not sending valid Advertisements. If this persists for the Master Down Interval, R1 declares itself Master even if R2 is also declaring itself Master (split-brain). Both routers end up as Master simultaneously because neither accepts the other's Advertisements. Fix: ensure identical authentication configuration on all VRRP group members — same method (plaintext or none) and same key string. Different priorities (option A) would not cause discarding — just different priorities in the election. Different virtual IPs would cause the routers to operate in different logical groups, not discard each other's messages.

8. In GLBP with round-robin load balancing, how does the AVG distribute traffic across AVFs? What is the mechanism at the protocol level?

A. The AVG intercepts ARP requests for the virtual IP and replies with a different virtual MAC address each time (rotating through AVF1, AVF2, AVF3...). Each host's ARP cache maps the same virtual IP to a different physical router's virtual MAC — directing traffic to different AVFs B. The AVG uses spanning tree to block/unblock paths to each AVF C. The AVG sends packets directly to each AVF using GRE tunnels D. AVFs share the same virtual MAC but use different virtual IPs per host

Correct answer is A. This is the core mechanism that makes GLBP unique among FHRPs. The load balancing is accomplished entirely through ARP manipulation: all GLBP routers share one virtual IP (e.g., 192.168.20.254). When a host ARPs for 192.168.20.254, the AVG (not the requesting host's connected router) intercepts the ARP and replies. With round-robin, the AVG rotates through the available virtual MACs when replying: Host A's ARP → AVG replies with 0007.b400.0101 (R1's virtual MAC). Host B's ARP → AVG replies with 0007.b400.0102 (R2's virtual MAC). Host C's ARP → AVG replies with 0007.b400.0103 (R3's virtual MAC). Host D's ARP → AVG replies with 0007.b400.0101 again. Each host now has a different MAC address in its ARP cache for the same virtual IP — so different hosts forward to different physical routers. The hosts never know different MACs are being distributed; they just see normal ARP responses. This is why GLBP requires no host reconfiguration — all hosts use the same virtual IP as their default gateway, but the traffic is automatically distributed.

9. An organisation uses GLBP with three routers (R1 weight 200, R2 weight 150, R3 weight 50). Which load-balancing method should be configured, and approximately what percentage of clients will be directed to each router?

A. Round-robin — 33% each regardless of weight B. Host-dependent — weights determine session persistence C. Weighted — total weight 400 (200+150+50). R1: 200/400 = 50% of clients. R2: 150/400 = 37.5%. R3: 50/400 = 12.5%. Higher-capacity routers handle more traffic D. Round-robin and weighted cannot be combined

Correct answer is C. When routers have different capacities (CPU, RAM, WAN bandwidth), weighted load balancing ensures traffic is proportional to each router's capability. The weight values represent the relative capacity. GLBP's weighted mode calculates each router's share as: individual weight / total weight. With R1=200, R2=150, R3=50: Total = 200+150+50 = 400. R1 handles 200/400 = 50% of clients. R2 handles 150/400 = 37.5% of clients. R3 handles 50/400 = 12.5% of clients. Configure with: glbp 1 weighting 200 on R1, glbp 1 weighting 150 on R2, glbp 1 weighting 50 on R3, and glbp 1 load-balancing weighted on all routers. Round-robin (option A) distributes equally regardless of weight values — weights are only used by the weighted method. Host-dependent ensures each host always returns to the same router but doesn't use weights for proportional distribution.

10. A network engineer runs `show vrrp brief` on R1 and sees both R1 and R2 showing "Master" state for the same VRRP group. What is this condition called, what is its impact, and what is the most likely cause?

A. Normal operation — two Masters provide better redundancy B. Split-brain — both routers believe they are Master because neither receives the other's Advertisements. Both respond to ARP for the virtual IP with the same virtual MAC but potentially different paths. Hosts may get inconsistent responses. Most likely cause: authentication mismatch or multicast blocked between the routers C. Load balancing — VRRP has enabled dual-Master mode D. VRRPv3 feature — dual Master is normal with sub-second timers

Correct answer is B. Two routers simultaneously in Master state for the same VRRP group is called "split-brain" — a serious misconfiguration. In normal VRRP operation, the Backup router listens for Advertisement messages from the Master. When Advertisements arrive, the Backup knows the Master is alive and remains in Backup state. If the Backup stops receiving Advertisements for the Master Down Interval, it transitions to Master. Split-brain occurs when each router stops receiving the other's Advertisements while both are still running. Each declares itself Master. Impact: both routers respond to ARP requests for the virtual IP with the same virtual MAC address. However, the two Ethernet frames from different source physical ports with the same source MAC create confusion in the connected switch's CAM table (MAC flapping). Hosts receive inconsistent gateway responses. Traffic may be directed to either router unpredictably, potentially causing packet loss. Root causes: (1) Authentication mismatch — VRRP discards Advertisements from mismatched peer. (2) ACL blocking multicast 224.0.0.18. (3) Misconfigured VRRP group number or virtual IP (routers are effectively in different groups). (4) Physical network partition. Fix: verify authentication matches, check multicast reachability, and confirm same VRID and virtual IP on both routers.

← Back to Home