Virtual Router Redundancy Protocol (VRRP)

Virtual Router Redundancy Protocol (VRRP) is an open standard protocol defined in RFC 5798 and is designed to provide gateway redundancy in IP networks. Instead of depending on a single physical router, VRRP allows several routers to share a Virtual IP address (VIP) that end devices use as their default gateway. This way, users always have a reliable gateway to reach external networks.

Figure 1 – VRRP topology with Master and Backup routers

VRRP belongs to the family of First Hop Redundancy Protocols (FHRPs), alongside HSRP and GLBP. These protocols all aim to protect the default gateway from failure, but each operates in a slightly different way. In this lesson, we will focus on VRRP.

HSRP is a Cisco proprietary protocol, while VRRP is an open standard that works across many vendors. For the CCNA exam, you only need to learn VRRP as a concept, which we’ll explore together.

In a typical LAN, every host relies on a single router as its default gateway to reach external networks. Under normal conditions, this setup works fine. Traffic flows through the default gateway, and users can access the internet without any issues.

But what happens if the router suddenly fails? This creates a single point of failure. When the default gateway is down, the whole LAN loses its connection to external networks immediately.

Figure 2 – Default gateway failure without VRRP

In this design, one broken device is enough to cut off the whole network. Without VRRP, recovering means manually reconfiguring each host with a new default gateway. This is not practical in today's environments with so many devices.

This is why VRRP was created. It removes the single point of failure and ensures constant access to external networks.

VRRP routers operate as part of a VRRP group. Each group is identified by a number and shares the same Virtual IP address (VIP). This VIP is the address that hosts configure as their default gateway.

For example, in the topology below, PC1 uses 192.168.1.3 as its default gateway. This address is the VIP of VRRP Group 1.

Figure 3 – VRRP group with shared Virtual IP

From PC1’s point of view, there is only one gateway: 192.168.1.3. The host doesn’t realize that this address is actually shared among many routers. It expects the gateway to always be reachable.

The responsibility for keeping this VIP available lies with the VRRP routers themselves. They work together behind the scenes. They decide who sends the traffic and who stays on standby.

This brings us to the next question: how are roles assigned within a VRRP group?

Inside a VRRP group, routers take on two possible roles: Master or Backup.

• The Master router forwards all traffic sent to the Virtual IP (VIP) and represents the group to the hosts.
  

• The Backup routers stay passive under normal conditions. They do not forward traffic but continuously check the Master. If the Master fails, one of the Backups is ready to immediately take over its role and become the new Master.

From PC1’s point of view, there is only one gateway: the VIP. The host does not know, and does not need to know, which physical router is actually forwarding the packets. At this moment, R1 is the Master handling all traffic, while R2 is waiting in reserve as a Backup.

Figure 4 – VRRP roles: Master and Backup

But this raises a key question: PC1 is configured with the VIP (192.168.10.3) as its default gateway. On an Ethernet network, traffic is not sent directly to an IP address, it must be sent to a MAC address. So, how does PC1 always know which MAC address to use, even when the Master changes?

This is solved with the VRRP Virtual MAC address.

On an Ethernet LAN, every device needs both an IP address and a MAC address. When PC1 wants to send traffic to its gateway (192.168.10.3), it must first resolve the VIP into a MAC address using ARP.