What is VRRP, and How Do You Configure It on Cisco Devices?

Virtual Router Redundancy Protocol (VRRP) is a First Hop Redundancy Protocol (FHRP) that provides automatic default gateway backup for hosts on a local network. By creating a single virtual router from a group of physical routers, VRRP ensures that user traffic can continue to flow even if their primary gateway router fails.

The modern version of the protocol, VRRPv3, is an open standard defined in RFC 5798, which supports both IPv4 and IPv6. This RFC makes the previous version, VRRPv2 (RFC 3768), obsolete. In this guide, we’ll focus on configuring VRRPv3 on Cisco devices to build a resilient and fault-tolerant network.

You can also check out our deep dive on the similarities and differences between VRRP, HSRP, and GLBP.

VRRP Quick Start: Basic Cisco IOS XE Configuration

For those who need a fast solution, here is a minimal working configuration for a primary (Master) and backup router in a VRRP group. This example assumes you want Router 1 to be the primary gateway.

To verify, use the command show vrrp brief on both routers. Router 1 should show its state as “Master,” and Router 2 should show its state as “Backup.”

Understanding Key VRRP Concepts

To configure VRRP effectively, it’s important to understand its core components and behaviors.

VRRP Roles: Master and Backup

In a VRRP group, routers participate in an election to determine their roles. The router with the highest priority is elected as the **Master Router**. This router is responsible for forwarding packets sent to the virtual IP address. All other routers in the group become **Backup Routers**, which monitor the state of the Master and are ready to take over if it fails.

Virtual IP and MAC Addresses (IPv4 & IPv6)

The Master router owns the virtual IP address and responds to ARP or Neighbor Discovery requests for it. VRRP uses a standardized virtual MAC address format:

• IPv4: The virtual MAC address is 0000.5e00.01XX, where XX is the VRRP group number in hexadecimal. VRRP advertisements are sent to the multicast address 224.0.0.18 using IP protocol 112.
• IPv6: The virtual MAC address is 0000.5e00.02XX, where XX is the VRRP group number. Advertisements are sent to the multicast address FF02::12.

VRRP Priority and Preemption

Priority determines which router becomes the master. The priority value can be set from 1 to 254, with a default of 100. The router with the highest priority wins the election. If two routers have the same priority, the one with the higher primary IP address on its VRRP interface becomes the master.

Preemption is enabled by default in VRRP. This means if a router with a higher priority comes online, it will automatically take over the master role from a lower-priority router. You can disable this behavior with the no vrrp preempt command if you prefer the failover to be less disruptive and manually controlled.

VRRP Timers and Advertisements

The Master router sends VRRP advertisements to the Backup routers to signal that it is still active. By default, these are sent every 1 second. If the Backup routers don’t hear from the Master within a calculated period (the Master Down Interval), one of them will assume the Master role.

While the VRRP standard’s default timer is 1 second, many vendors, including Cisco, offer vendor-specific extensions for sub-second (millisecond) timers. Using these can provide faster failover but may impact interoperability with devices from other vendors. Always test sub-second timer configurations in a lab environment before deploying in production.

How to Configure VRRP on Cisco Devices (Detailed Steps)

Let’s look at a more detailed configuration example that demonstrates load sharing across two subnets using two VRRP groups. The VRID (Virtual Router Identifier) can range from 1 to 255. While the protocol supports up to 255 groups, the practical per-interface limit can vary by platform; modern Cisco IOS XE devices often support dozens to hundreds of groups per interface.

Example: IPv4 VRRP Configuration

Example: IPv6 VRRP Configuration

Configuring VRRPv3 for IPv6 is very similar. You must first enable IPv6 routing and then define the virtual IPv6 address for the group.

Enhancing Redundancy with VRRP Object Tracking

What happens if the master router’s LAN interface is up, but its connection to the WAN fails? VRRP alone won’t detect this, and traffic will be black-holed. Object tracking solves this problem. You can configure VRRP to monitor an object, like the line protocol of an uplink interface or an IP route, and dynamically decrease its priority if that object goes down.

This allows a backup router with a healthy WAN connection to take over the master role, ensuring traffic can still reach its destination.

Object Tracking Configuration Example

Securing VRRPv3

Unlike older versions, VRRPv3 (RFC 5798) removed in-protocol authentication. The reliance on simple text or MD5 authentication was considered insufficient. Instead, security for VRRPv3 messages should be provided by other mechanisms.

• IPsec Authentication Header (AH): The recommended method is to use IPsec in transport mode with the Authentication Header (AH) protocol. This provides robust, per-packet authentication and integrity for VRRP advertisements between trusted routers.
• Infrastructure ACLs (iACLs): You can apply access control lists to your router interfaces to permit VRRP traffic (IP protocol 112) only from the known IP addresses of other legitimate VRRP routers in the group. This prevents unauthorized devices from participating in the VRRP election.

Verification and Troubleshooting Commands

Once configured, you need to verify VRRP is operating as expected. These commands are essential for verification and troubleshooting.

• show vrrp brief: The best first command. Displays a summary of all VRRP groups, their virtual IP, state (Master/Backup/Init), and priority.
• show vrrp: Provides detailed information for each VRRP group, including timers, preemption status, master router IP, and virtual MAC address.
• show track: Crucial for troubleshooting object tracking. Shows the status of all tracked objects (Up/Down) and which clients are using them.
• debug vrrp all: Use with caution in a production network. This command shows real-time VRRP events, state changes, and errors, which is invaluable for diagnosing complex issues.

Test Your Knowledge

Ready to see what you’ve learned? Take our short quiz to solidify your understanding of VRRP.

Conclusion

In this post, we’ve updated our understanding of VRRP to focus on the current VRRPv3 standard. We covered the core concepts, provided detailed configuration examples for both IPv4 and IPv6, and explored advanced features like object tracking and modern security practices. With this knowledge, you can confidently implement a robust first-hop redundancy solution on your Cisco network.

I hope you found this guide helpful. Thank you for reading, and please share it with others who may be looking for up-to-date information on VRRP configuration.

Frequently Asked Questions About VRRP

• About
• Latest Posts

Afroz Ahmad

I'm Afroz, a Network Engineer and CCIE with more than 18 years of experience in Computer Networking, Data Centers, Telecom, Internet Services and ISPs. Currently, I work as a Network Designer for a leading ISP equipment vendor. I share my expertise through my blog and courses, aiming to share my knowledge and simplify complex networking concepts for both beginners and experienced professionals.

Latest posts by Afroz Ahmad (see all)

• How to Configure a Secure Site-to-Site VPN on Cisco Firepower Complete Guide - December 3, 2025
• Jobs for Network Engineers: Roles, Skills & Pay - December 3, 2025
• How to Change WiFi Password on Any Router : The Last Guide You Need - December 1, 2025