Virtual Router Redundancy Protocol

Virtual Router Redundancy Protocol (VRRP) is a gateway election protocol that dynamically assigns responsibility for one or more virtual gateways to the VRRP routers on a LAN, which allows several routers on a multi-access segment, such as Ethernet, to use the same virtual IP address as their default gateway.

Learn more on our Cisco CCNP video and lab course.

VRRP operates in a similar manner to HSRP; however, unlike HSRP, VRRP is an open standard that is defined in RFC 2338, which was made obsolete by RFC 3768. VRRP sends advertisements to the Multicast destination address 224.0.0.18 (VRRP), using IP protocol number 112. At the Data Link layer, advertisements are sent from the master virtual router MAC address 00-00-5e-00-01xx, where ‘xx’ represents the two-digit Hexadecimal group number. This is illustrated below in Figure 1:

Fig. 1  VRRP Multicast Addresses

NOTE: The protocol number is in Hexadecimal value. The Hexadecimal value 0x70 is the equivalent of the Decimal value 112. Similarly, the 12 in the destination Data Link layer address 01-00-5e-00-00-12 is the Hexadecimal value of 18 in Decimal value (i.e. 224.0.0.18). If you are unable to determine how these values are reached, Hexadecimal to Decimal conversion is covered in detail in the current CCNA guide that is available online.

Real World Implementation

Unlike HSRP, VRRP does not have the option of allowing the gateway to use the BIA or a statically configured address as the MAC address for VRRP groups. Therefore, in production networks with more than one VRRP group, it is important to understand the implications of multiple MAC addresses on a particular interface, especially when features such as port security have been implemented. Remember to look at the overall picture; otherwise, you may find that, even though correctly configured, certain features and protocol are not working as they should.

A VRRP gateway is configured to run the VRRP protocol in conjunction with one or more other routers attached to a LAN. In a VRRP configuration, one gateway is elected as the master virtual router, with the other gateways acting as backup virtual routers in case the master virtual router fails. This concept is illustrated below in Figure 2:

Fig. 2  Virtual Router Redundancy Protocol Basic Operation

 VRRP Multiple Virtual Router Support

You can configure up to 255 virtual routers on an interface. The actual number of virtual routers that a router interface can support depends on the following factors:

• Router processing capability
• Router memory capability
• Router interface support of multiple MAC addresses

VRRP Master Router Election

By default, VRRP uses priority values to determine which router will be elected as the master virtual router. The default VRRP priority value is 100; however, this value can be manually adjusted to a value between 1 and 254. If gateways have the same priority values, the gateway with the highest IP address will be elected as the master virtual router, while the one with the lower IP address becomes the backup virtual router.

If more than two routers are configured as part of the VRRP group, the backup virtual router with the second-highest priority is elected as the master virtual router if the current master virtual router fails or becomes unavailable. If the backup virtual routers have the same priority value, the backup virtual router with the highest IP address is elected as the master virtual router. This concept is illustrated below in Figure 3:

 

Fig. 3  VRRP Master Virtual Router and Backup Virtual Router Election

Figure 3 illustrates a network using VRRP for gateway redundancy. Hosts 1 and 2 are configured with a default gateway of 192.168.1.254, which is the virtual IP address configured for VRRP group 192 defined on Switches VRRP-1, VRRP-2, and VRRP-3.

VRRP-1 has a configured priority value of 110, VRRP-2 has a configured priority value of 105, and VRRP-3 is using the default VRRP priority of 100. Based on this configuration, VRRP-1 is elected as the master virtual router and VRRP-2 and VRRP-3 become backup virtual routers.

In the event that VRRP-1 fails, VRRP-2 becomes the master virtual router because it has a higher priority value than VRRP-3. However, if both switches had the same priority value, VRRP-3 would be elected as the master virtual router because it has the higher IP address.

VRRP Preemption

By default, unlike HSRP, preemption is enabled for VRRP and no explicit configuration is required by the administrator to enable this functionality.  However, this functionality can be disabled by using the no vrrp [number] preempt interface configuration command.

 

VRRP Load Balancing

VRRP allows for load balancing in a manner similar to HSRP. For example, in a network where multiple virtual routers are configured on a gateway, the interface can act as a master for one virtual router and as a backup for one or more virtual routers. This is illustrated below in Figure 4:

Fig. 4  Virtual Router Redundancy Protocol Load Balancing

 VRRP Versions

By default, VRRP version 2 is enabled when VRRP is configured on a gateway in Cisco IOS software. Version 2 is the default and current VRRP version. It is not possible to change the version as is the case with HSRP. There is no VRRP version 1 standard.

NOTE: As of the time of the writing of this guide, VRRP version 3, which defines the VRRP for IPv4 and IPv6, is in draft form and has not yet been standardized.

Fig. 5  Virtual Router Redundancy Protocol Version 2 Packet

VRRP Advertisements

The master virtual router sends advertisements to other VRRP routers in the same group. The advertisements communicate the priority and the state of the master virtual router. The VRRP advertisements are encapsulated in IP packets and are sent to the IP Version 4 Multicast address assigned to the VRRP group, which was illustrated in Figure 8-18.  The advertisements are sent every second by default; however, this interval is user-configurable and may be changed. Backup virtual routers also optionally learn the advertisement interval from the master virtual router.

VRRP Authentication

Like HSRP, VRRP supports both plain-text and MD5 authentication. MD5 authentication may be configured with or without a key chain. Unlike HSRP, however, it is important to remember that authentication is not enabled by default for VRRP. This is illustrated below in Figure 6:

Fig. 6  Virtual Router Redundancy Protocol Authentication

Configuring VRRP on the Gateway

The following steps are required to configure HSRP on the gateway:

1. Configure the correct IP address and mask for the gateway interface using the ip address [address] [mask] [secondary] interface configuration command.

2. Create a VRRP group on the gateway interface and assign the group the virtual IP address via the vrrp [number] ip [virtual address][secondary] interface configuration command. The [secondary] keyword configures the virtual IP address as a secondary gateway address for the specified group.

3. Optionally, assign the VRRP group a description using the vrrp [number] description[name] interface configuration command.

4. Optionally, if you want to control the elections of the master virtual router and the backup virtual routers, configure the group priority via the vrrp [number] priority [value] interface configuration command.

The VRRP configuration outputs in this section will be based on Figure 7 below:

Fig. 7  VRRP Configuration Examples Topology

NOTE: It is assumed that the VLAN and trunking configuration between VTP-Server-1 and VTP-Server-2 is already in place and the switches are successfully able to ping each other across VLAN 172. For brevity, this configuration output will be omitted from the configuration examples.

VTP-Server-1(config)#interface vlan 192 VTP-Server-1(config-if)#ip address 192.168.1.1 255.255.255.0 VTP-Server-1(config-if)#vrrp 1 ip 192.168.1.254 VTP-Server-1(config-if)#vrrp 1 priority 105 VTP-Server-1(config-if)#vrrp 1 description ‘SWITCH-VRRP-Example’ VTP-Server-1(config-if)#exit

 

VTP-Server-2(config)#interface vlan 192 VTP-Server-2(config-if)#ip address 192.168.1.2 255.255.255.0 VTP-Server-2(config-if)#vrrp 1 ip 192.168.1.254 VTP-Server-2(config-if)#vrrp 1 description ‘SWITCH-VRRP-Example’ VTP-Server-2(config-if)#exit

NOTE: No priority value is manually assigned for the VRRP configuration applied to VTP-Server-2. By default, VRRP will use a priority value of 100, allowing VTP-Server-1, with a priority value of 105, to win the election and to be elected as the master virtual router for the VRRP group. In addition to this, a description has also optionally been configured for the group.

This configuration is validated using the show vrrp [all|brief|interface] command. The [all] keyword shows all information pertaining to the VRRP configuration, which includes the group state, description (if configured), local gateway priority, and master virtual router, among other things. The [brief] keyword prints a summary of the VRRP configuration. The [interface] keyword prints VRRP information for the specified interface. The following outputs show the show vrrp all command: 

VTP-Server-1#show vrrp all Vlan192 – Group 1 ‘SWITCH-VRRP-Example’ State is Master   Virtual IP address is 192.168.1.254   Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled   Priority is 105   Master Router is 192.168.1.1 (local), priority is 105 Master Advertisement interval is 1.000 sec Master Down interval is 3.589 sec

 

VTP-Server-2#show vrrp all Vlan192 – Group 1 ‘SWITCH-VRRP-Example’ State is Backup   Virtual IP address is 192.168.1.254   Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled   Priority is 100   Master Router is 192.168.1.1, priority is 105 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec (expires in 3.328 sec)

The following outputs show the information printed by the show vrrp brief command:

VTP-Server-1#show vrrp brief Interface          Grp Pri Time  Own Pre State   Master addr     Group addr Vl192              1   105 3589       Y  Master  192.168.1.1     192.168.1.254

 

VTP-Server-2#show vrrp brief Interface          Grp Pri Time  Own Pre State   Master addr     Group addr Vl192              1   100 3609       Y  Backup  192.168.1.1     192.168.1.254

Configuring VRRP Timers

The interval for advertisement updates sent by the VRRP master virtual router is configured using the vrrp [number] timers [[seconds] [msec][milliseconds]] interface configuration command. The following output illustrates how to configure an advertisement interval of 5 seconds:

VTP-Server-1(config)#interface vlan  192 VTP-Server-1(config-if)#vrrp 1 timers advertise 5

The following output illustrates how to configure an advertisement interval of 100 milliseconds:

VTP-Server-1(config)#interface vlan  192 VTP-Server-1(config-if)#vrrp 1 timers advertise msec 100

VRRP timer configuration can be validated using the show vrrp interface [name] command, the output of which is illustrated as follows:

VTP-Server-1#show vrrp interface vlan 192 Vlan192 – Group 1 ‘SWITCH-VRRP-Example’ State is Master Virtual IP address is 192.168.1.254 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 0.100 sec Preemption enabled Priority is 105 Master Router is 192.168.1.1 (local), priority is 105 Master Advertisement interval is 0.100 sec Master Down interval is 0.889 sec

Configuring VRRP Timer Learning

As previously stated in this chapter, backup virtual routers can be optionally configured to learn timer values from the master virtual router. This is configured using the vrrp 1 timers learn interface configuration command on the backup virtual router. The following output shows how to configure a backup virtual router to learn about timers from the master virtual router:

VTP-Server-2(config)#interface vlan 192 VTP-Server-2(config-if)#vrrp 1 timers learn VTP-Server-2(config-if)#exit

Again, the show vrrp interface [name] command can be used to validate this configuration. The output of this command is shown as follows:

VTP-Server-2#show vrrp interface vlan 192 Vlan192 – Group 1 ‘SWITCH-VRRP-Example’ State is Backup Virtual IP address is 192.168.1.254 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Master Router is 192.168.1.1, priority is 105 Master Advertisement interval is 1.000 sec   Master Down interval is 3.609 sec (expires in 3.572 sec) Learning

Configuring VRRP Plain Text Authentication

VRRP plain-text authentication is configured using the vrrp [number authentication text [password] interface configuration command. As is the case with plain-text authentication when using HSRP, the password is sent unencrypted and can be viewed ‘on-the-wire’ as well as in the output of the show vrrp interface [name] command. The following outputs illustrate the configuration of plain-text authentication for VRRP using the password SWITCH:

VTP-Server-1(config)#interface vlan 192 VTP-Server-1(config-if)#vrrp 1 authentication text SWITCH VTP-Server-1(config-if)#exit

 

VTP-Server-2(config)#interface vlan 192 VTP-Server-2(config-if)#vrrp 1 authentication text SWITCH VTP-Server-2(config-if)#exit

The plain text password is present in the output of the show vrrp interface [name] command as shown as follows:

VTP-Server-1#show vrrp interface vlan 192 Vlan192 – Group 1 ‘SWITCH-VRRP-Example’ State is Master Virtual IP address is 192.168.1.254 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 0.100 sec Preemption enabled Priority is 105   Authentication text, string “SWITCH” Master Router is 192.168.1.1 (local), priority is 105 Master Advertisement interval is 0.100 sec Master Down interval is 0.889 sec

Configuring VRRP MD5 Authentication

Cisco IOS software supports two methods for configuring MD5 authentication for VRRP. The first method does not require key chains and is configured using the vrrp [number] authentication md5 key-string [password] interface configuration command. The second method, which requires key chain configuration, is applied using the vrrp [number] authentication md5 key-chain [name] interface configuration command.

Key chain configuration is illustrated in HSRP configuration and will not be illustrated in this section. Refer to that section if you are unable to remember how to configure key chains. The following outputs illustrate how to configure MD5 authentication for VRRP without a key chain:

VTP-Server-1(config)#interface vlan 192 VTP-Server-1(config-if)#vrrp 1 authentication md5 key-string SWITCH VTP-Server-1(config-if)#exit

 

VTP-Server-2(config)#interface vlan 192 VTP-Server-2(config-if)# vrrp 1 authentication md5 key-string SWITCH VTP-Server-2(config-if)#exit

MD5 authentication for VRRP is verified using the show vrrp interface [name] command as shown in the following output:

VTP-Server-2#show vrrp interface vlan 192 Vlan192 – Group 1 ‘SWITCH-VRRP-Example’ State is Backup Virtual IP address is 192.168.1.254 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Authentication MD5, key-string Master Router is 192.168.1.1, priority is 105 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec (expires in 3.516 sec) Learning

As is the case with MD5 authentication for HSRP, notice that the password is not displayed in the output of the show command. It can be validated by viewing the switch configuration.

Configuring VRRP Interface Tracking

In order to configure VRRP to track an interface, for example, a tracked object must be created in global configuration mode using the track [object number] interface][line-protocol|ip routing] global configuration command for interface tracking or the track [object number] ip route [address/prefix] {reachability | metric threshold} command for IP prefix tracking. Up to 500 track objects may be tracked on the switch, depending on the software and platform. Tracked objects are then tracked by VRRP using the vrrp [number] track [object] interface configuration command.

NOTE: You are not expected to perform any advanced object tracking configurations.

The following output shows how to configure tracking for VRRP, referencing object 1, which tracks the line protocol of the Loopback0 interface:

VTP-Server-1(config)#track 1 interface loopback 0 line-protocol VTP-Server-1(config-track)#exit VTP-Server-1(config)#interface vlan 192 VTP-Server-1(config-if)#vrrp 1 track 1 VTP-Server-1(config-if)#exit

The following output shows how to configure tracking for VRRP, referencing object 2, which tracks the reachability of the 1.1.1.1/32 prefix. A tracked IP route object is considered to be up and reachable when a routing table entry exists for the route and the route is not inaccessible (i.e. has a route metric of 255), in which case the route is removed from the Routing Information Base (RIB) anyway:

VTP-Server-1(config)#track 2 ip route 1.1.1.1/32 reachability VTP-Server-1(config-track)#exit VTP-Server-1(config)#interface vlan 192 VTP-Server-1(config-if)#vrrp 1 track 2

VRRP tracking configuration is verified using the show vrrp interface [name] command. This is illustrated in the following output: 

VTP-Server-1#show vrrp interface vlan 192 Vlan192 – Group 1 ‘SWITCH-VRRP-Example’ State is Master Virtual IP address is 192.168.1.254 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 0.100 sec Preemption enabled Priority is 105     Track object 1 state Up decrement 10     Track object 2 state Up decrement 10 Authentication MD5, key-string Master Router is 192.168.1.1 (local), priority is 105 Master Advertisement interval is 0.100 sec Master Down interval is 0.889 sec

To view the parameters of the tracked objects, use the show track [number][brief] [interface] [ip] [resolution][timers] command. The output of the show track command is illustrated as follows:

VTP-Server-1#show track Track 1 Interface Loopback0 line-protocol Line protocol is Up 1 change, last change 00:11:36   Tracked by:     VRRP Vlan192 1 Track 2 IP route 1.1.1.1 255.255.255.255 reachability Reachability is Up (connected) 1 change, last change 00:08:48 First-hop interface is Loopback0   Tracked by:     VRRP Vlan192 1

NOTE: Tracked objects can also be used in conjunction with HSRP and GLBP. GLBP is described in a section to follow.

Debugging the Virtual Router Redundancy Protocol

The debug vrrp command provides several options that the administrator can use to view real-time information on VRRP operation. These options are illustrated in the following output:

VTP-Server-1#debug vrrp ? all      Debug all VRRP information auth     VRRP authentication reporting errors   VRRP error reporting events   Protocol and Interface events packets  VRRP packet details state    VRRP state reporting track    Monitor tracking <cr>

Wikipedia VRRP notes.