How VRRP Works: First-Hop Redundancy Explained
When a host sends traffic off its local subnet, it forwards packets to its default gateway — a single IP address configured statically or via DHCP. If that router fails, every device on the segment loses internet access immediately, with no automatic recovery. The first-hop redundancy problem asks: how do we make that default gateway itself redundant without requiring hosts to change configuration or detect the failure themselves?
VRRP (Virtual Router Redundancy Protocol), defined in RFC 5798, solves this by presenting a virtual router — a shared IP address and a shared MAC address — backed by multiple physical routers. Hosts point their default gateway at the virtual IP. One physical router is the active Master; the others are Backups. If the Master disappears, a Backup takes over and begins responding to traffic within seconds, transparently to every host on the segment.
The Virtual IP and Virtual MAC
A VRRP group is identified by a Virtual Router ID (VRID), an 8-bit integer from 1 to 255. All routers in the group share the same virtual IP address, which is configured by the operator and announced as the default gateway to hosts.
More importantly, VRRP assigns a well-known virtual MAC address derived from the VRID:
00:00:5E:00:01:<VRID> (VRRPv2, IPv4)
00:00:5E:00:02:<VRID> (VRRPv3, IPv6)The prefix 00:00:5E is the IANA OUI. Because the MAC address is deterministic from the VRID, any router that becomes Master can immediately respond to frames addressed to that MAC — no ARP flap required on stable hardware. Hosts' ARP caches already point to the virtual MAC, which is now owned by the new Master.
On failover, the new Master sends a gratuitous ARP (for IPv4) — an unsolicited ARP reply announcing that the virtual IP is reachable at the virtual MAC on this router's physical port. This is belt-and-suspenders: upstream switches update their CAM tables for the virtual MAC's new port, and any hosts with stale ARP entries refresh immediately.
Master Election and Priority
Every VRRP router in a group has a priority value from 1 to 255. The router with the highest priority becomes Master. Tie-breaking uses the highest interface IP address.
One special case exists: the router whose interface IP address is the virtual IP address is called the IP address owner. It always has priority 255 and, when reachable, always wins election regardless of configured priorities. This is the natural design — if the router that actually owns the IP is up, it should serve traffic directly.
| Priority | Meaning |
|---|---|
| 255 | IP address owner — always Master when available |
| 100 | Default. Router participates but does not force mastership |
| 1–254 | Operator-configurable; higher wins |
| 0 | Special: signals voluntary Master resignation (sent on shutdown) |
Preemption is enabled by default in VRRPv2. If a higher-priority router comes online after a lower-priority router has taken over as Master, the higher-priority router sends an advertisement claiming mastership and the lower-priority router steps back to Backup. This ensures the preferred router regains control after recovering from a reboot or interface flap. Preemption can be disabled when graceful handoffs are preferred — for example, during maintenance windows.
Advertisement Interval and Failure Detection
The Master periodically sends VRRP Advertisement messages over the segment (multicast to 224.0.0.18, IP protocol 112) at the configured advertisement interval, default 1 second in VRRPv2.
Backup routers compute a Master Down Timer using the formula:
Master_Down_Interval = (3 × Advertisement_Interval) + Skew_Time
Skew_Time = (256 − Priority) / 256 (in seconds)The skew ensures that a higher-priority Backup declares the Master dead and takes over before a lower-priority Backup does. With default 1-second intervals and priority 200, the skew is (256-200)/256 ≈ 0.22 s, so that Backup waits about 3.22 seconds before claiming mastership. A priority-100 Backup would wait about 3.61 seconds — long enough for the higher-priority router to win.
This design means worst-case failover with default settings is roughly 3–4 seconds — sufficient for many enterprise deployments, but unacceptable for voice or financial applications. Sub-second failover requires tuning the advertisement interval down (VRRPv3 supports millisecond timers) or pairing VRRP with BFD (Bidirectional Forwarding Detection), which can detect link failures in under 50 ms.
VRRPv3 and IPv6
VRRPv3, defined in RFC 5798, supersedes VRRPv2 with two major additions:
- IPv6 support. VRRPv3 can protect IPv6 default gateways. Advertisements use the link-local multicast address
FF02::12. The virtual MAC for IPv6 groups is00:00:5E:00:02:<VRID>. - Sub-second advertisement intervals. The interval field in VRRPv3 is specified in centiseconds (1/100 of a second), allowing timers as low as 10 ms. This enables convergence well under 1 second without requiring BFD, though extremely aggressive timers can cause false failovers on loaded systems.
VRRPv3 can simultaneously protect both IPv4 and IPv6 addresses with a single VRID by configuring the group for dual-stack operation. Advertisement messages use IP authentication options removed in VRRPv3 — RFC 5798 removed the MD5 authentication that VRRPv2 optionally supported, citing IPsec as the correct mechanism for securing VRRP traffic when needed.
VRRP vs. HSRP vs. GLBP
VRRP is the open standard. Two alternatives exist in the Cisco ecosystem:
| Feature | VRRP (RFC 5798) | HSRP (Cisco) | GLBP (Cisco) |
|---|---|---|---|
| Standard | IETF open standard | Cisco proprietary | Cisco proprietary |
| IPv6 support | Yes (VRRPv3) | Yes (HSRPv2) | Yes |
| Default priority | 100 | 100 | 100 |
| IP owner priority | 255 (fixed) | Manual config | N/A |
| Virtual MAC | 00:00:5E:00:01:VRID | 00:00:0C:07:AC:XX | 00:07:B4:XX:XX:XX |
| Load sharing | Multiple VRIDs | Multiple groups | Native (single VIP) |
| Active/active | With multiple VRIDs | With multiple groups | Yes, built-in |
| Multicast address | 224.0.0.18 | 224.0.0.2 / 224.0.0.102 | 224.0.0.102 |
GLBP (Gateway Load Balancing Protocol) takes a different approach: a single virtual IP maps to multiple virtual MACs, distributed across active routers. The Active Virtual Gateway (AVG) assigns different virtual MACs to different hosts' ARP replies, achieving real per-flow load sharing with a single gateway IP. VRRP and HSRP require multiple VRIDs/groups and different gateway IPs per host segment to achieve the same effect.
Load Sharing with Multiple VRIDs
Pure active/standby VRRP wastes the standby router's forwarding capacity. A common pattern uses two VRIDs on the same segment with mirrored priorities:
VRID 1: VIP 10.0.0.253 — Router A priority 150, Router B priority 100
VRID 2: VIP 10.0.0.254 — Router B priority 150, Router A priority 100Half the hosts use 10.0.0.253 as their default gateway, half use 10.0.0.254. Both routers are active simultaneously, each mastering one group. If either fails, the survivor takes over both VRIDs. This provides both load distribution and redundancy with no per-flow hashing — the operator decides which hosts go to which gateway at DHCP configuration time.
Split-Brain and Object Tracking
VRRP monitors the link between routers, not the actual path to the internet. A scenario where the Master's uplink to the core fails — while its LAN interface remains up — leaves the Master serving as default gateway but unable to forward traffic. Hosts continue sending packets to the Master, which drops them.
The fix is object tracking: the VRRP implementation monitors an external condition (an interface state, a route in the routing table, or an IP SLA probe) and dynamically decrements the VRRP priority when the condition fails. A typical configuration decrements priority by 60 when the uplink interface goes down, causing the backup with default priority 100 to preempt the degraded Master at priority 90.
Without object tracking, split-brain conditions can cause sustained blackholing — a failure mode that is difficult to diagnose because the switch shows the link up and VRRP shows a Master elected.
VRRP in Modern Networks
In purely layer-3 routed fabrics — common in data center leaf-spine designs — VRRP is less relevant because there is no single default gateway; each host connects to a routing protocol or ECMP handles redundancy natively. VRRP remains essential in enterprise LAN access layers, campus networks, and anywhere hosts use a statically configured default gateway. It is also common in CPE (Customer Premises Equipment) deployments to protect against router hardware failure at the customer edge.
For environments where BGP Graceful Restart or OSPF fast convergence is available, the routing protocol itself provides redundancy across routers and VRRP is not needed for router-level failover — only for the host-facing default gateway problem.
Explore It Live
VRRP protects the first hop; BGP protects everything beyond. You can trace how traffic leaves redundant gateways and traverses the internet by looking up any network:
- AS7224 — Amazon Web Services (uses anycast and ECMP instead of VRRP at scale)
- AS13335 — Cloudflare (anycast architecture eliminates single-router dependency)
- Look up 1.1.1.1 — see how anycast routing differs from VRRP first-hop redundancy