In the last tutorial, we discussed HSRP (Hot Standby Routing Protocol). VRRP is similar to HSRP, providing redundancy and high availability in computer networks. Like HSRP, VRRP also creates a virtual gateway and avoids a single point of failure. Before starting the VRRP, first discuss a single point of failure.
Single point of failure in computer networks
To understand the single point of failure, start with a simple example:
Look at this topology having a host connected with a layer two switch. This switch is further connected with two routers, i.e., R1 and R2. The Host behind the switch can have only one default gateway. Assume that we have configured the R1 IP address as a default gateway on the Host. The Host can access the internet via R1, and we don’t have any issues at all.
Now, due to any random reason, R1 goes unresponsive and is unable to process any network traffic from the Host. In this case, we must switch the default gateway to R2 to make the internet work. Again, the internet starts working on the end computer.
However, the switching of the default gateway causes a significant amount of downtime in the network. Further, a single administrator can’t change the default gateways on all LAN computers.
We can use the different FHRP (First-hop redundancy protocol) protocols to avoid downtime. VRRP is also one of the FHRP protocols.
What is VRRP?
VRRP stands for Virtual Router Redundancy Protocol. It is an open-source protocol that provides redundancy and high availability in computer networks. In VRRP, we deploy two or more routers in a group. All of the routers in this group sync with each other. If the master router fails, the backup router takes the master role and starts forwarding the traffic.
Refer to rfc3768 for more detail.
Like HSRP, VRRP also has a Virtual IP & MAC address. This IP becomes the default gateway for the hosts.
VRRP uses a Multicast address 224.0.0.18 for the communication between master and backup routers. The virtual MAC address is 0000.5e00.01XX, where XX is the VRRP group number.
VRRP States
In this section, we will discuss the different states of VRRP. Routers that are participating in VRRP will go through all of the states.
State | State Informatin |
Init (Initialize) | Once you enable the VRRP, the routers will be in the Init state. |
Listen | In this state, the router receives messages from other VRRP routers. However, none of the routers are master or slave. |
Learn | This is similar to the Listen state. However, routers perform the election and become ready to be master or backup routers. |
Backup | Routers in this state are ready to take over the network traffic if the master routers fail. |
Master | The master router is responsible for actively forwarding network traffic. |
VRRP configuration on Cisco IOS Router / Multilayer Switch
In this section, we will configure the VRRP on Cisco IOS routers. This configuration will be almost similar to the multilayer switch. We will use the below network topology for the configuration:
We have R1, R2, R3, SW01, and a Windows Host. Let’s start the configuration by confirming the interfaces of the routers:
Rouer R1:
interface GigabitEthernet1 ip address 172.16.1.1 255.255.255.0 negotiation auto ! interface GigabitEthernet2 ip address 101.1.1.1 255.255.255.252 negotiation auto
Router R2:
interface GigabitEthernet1 ip address 172.16.1.2 255.255.255.0 negotiation auto ! interface GigabitEthernet2 ip address 201.1.1.1 255.255.255.252 negotiation auto
Router R3:
interface GigabitEthernet1 ip address 101.1.1.2 255.255.255.252 negotiation auto ! interface GigabitEthernet2 ip address 201.1.1.2 255.255.255.252 negotiation auto
Now, we will start configuring the VRRP on Routers R1, followed by R2.
On R1:
R1(config)#interface gigabitEthernet 1 R1(config-if)#vrrp 5 ip 172.16.1.100
Similarly, on R2:
R2(config)#interface gigabitEthernet 1 R2(config-if)#vrrp 5 ip 172.16.1.100
Once you enabled the VRRP, you should get the following messages:
*Jan 1 15:18:06.699: %VRRP-6-STATECHANGE: Gi1 Grp 5 state Init -> Backup *Jan 1 15:18:10.308: %VRRP-6-STATECHANGE: Gi1 Grp 5 state Backup -> Master
You should enable the VRRP debugs in case of troubleshooting. Debugs will show you the complete VRRP states of the routers:
R1#debug vrrp events VRRP Events debugging is on
To get the complete events, shut down the gig1 interface. Use the no shutdown command to re-enable the interface.
*Jan 1 15:30:27.351: VRRP: vrrp_interface_state: Gi1 is Up *Jan 1 15:30:27.351: VRRP: vrrp_swif_comingup: Gi1 now Up *Jan 1 15:30:27.351: VRRP: Enabling groups on interface GigabitEthernet1 *Jan 1 15:30:27.351: VRRP: vrrp_interface_state: Gi1 is Up *Jan 1 15:30:27.351: VRRP: Grp 5 mincfg is met : *Jan 1 15:30:27.351: VRRP: Grp 5 Event - Interface UP *Jan 1 15:30:27.351: %VRRP-6-STATECHANGE: Gi1 Grp 5 state Init -> Backup *Jan 1 15:30:28.842: VRRP: vrrp_interface_state: Gi1 is Up *Jan 1 15:30:28.842: VRRP: vrrp_swif_comingup: Gi1 now Up *Jan 1 15:30:28.842: VRRP: Enabling groups on interface GigabitEthernet1 *Jan 1 15:30:30.961: VRRP: Grp 5 Event - Master down timer expired *Jan 1 15:30:30.961: %VRRP-6-STATECHANGE: Gi1 Grp 5 state Backup -> Master
Finally, go to the Host and assign the IP Address per our topology. Check the IP Address on your Host using ipconfig, and try to ping the virtual gateway.
C:\Documents and Settings\admin>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.16.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.1.100
You should get the ping response from Virtual Gateway with the default TTL 225.
C:\Documents and Settings\admin>ping 172.16.1.100 Pinging 172.16.1.100 with 32 bytes of data: Reply from 172.16.1.100: bytes=32 time=2ms TTL=255 Reply from 172.16.1.100: bytes=32 time<1ms TTL=255 Reply from 172.16.1.100: bytes=32 time=1ms TTL=255 Reply from 172.16.1.100: bytes=32 time<1ms TTL=255 Ping statistics for 172.16.1.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 2ms, Average = 0ms C:\Documents and Settings\admin>
You should find the VRRP MAC address on the Windows host:
C:\Documents and Settings\admin>arp -a
Interface: 172.16.1.10 --- 0x2
Internet Address Physical Address Type
172.16.1.100 00-00-5e-00-01-05 dynamic
Managing the VRRP on Cisco Devices
In this section, we will discuss some of the important commands to manage the VRRP. We will start with the show vrrp command, which shows complete information about VRRP.
R1#show vrrp GigabitEthernet1 - Group 5 State is Backup Virtual IP address is 172.16.1.100 Virtual MAC address is 0000.5e00.0105 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Master Router is 172.16.1.2, priority is 100 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec (expires in 3.519 sec)
This command shows complete VRRP information. VRRP is enabled on GigabitEthernet1, and the group is 5. Further, the state of the current router is Backup. Virtual IP is 172.16.1.100 & MAC is 0000.5e00.0105.
Unlike HSRP, preemption is enabled by default. The master router is 172.16.1.2 with the same priority, i.e., 100. You will get similar information on R2.
R2#show vrrp GigabitEthernet1 - Group 5 State is Master Virtual IP address is 172.16.1.100 Virtual MAC address is 0000.5e00.0105 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Master Router is 172.16.1.2 (local), priority is 100 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec
You may notice that both routers have same priority, i.e., 100. But, still, router R2 is the master and forwarding network traffic. We must understand the VRRP election process to know this behavior.
VRRP Election:
VRRP election process is almost similar to HSRP. First, the router will check the highest priority. If the priority is same, routers will check the highest IP Address.
In our case, routers have a default priority value, i.e., 100. But, R2 has an IP Address 172.16.1.2, so it becomes master.
Priority and Preemption Configuration
Priority is a numeric value between 0 – 255. The router with the highest priority becomes a master. You can configure the priority using the below command:
R1(config)#interface gigabitEthernet 1 R1(config-if)#vrrp 5 priority 150
Let’s verify the priority using the below command:
R1#show vrrp | include priority Master Router is 172.16.1.1 (local), priority is 150
Since the preemption is enabled on VRRP. Now, the router R1 with the highest priority, i.e., 150. will become master.
*Jan 2 06:20:06.246: %VRRP-6-STATECHANGE: Gi1 Grp 5 state Backup -> Master
The preemption takes effect immediately. However, it is recommended to set some delay. So, in the case of a reboot, the router will learn the dynamic routes from its neighbors. To set a delay in VRRP preemption, you can use the below command:
R1(config-if)#vrrp 5 preempt delay minimum 60
To disable the preemption, hit the below command:
R1(config)#interface gigabitEthernet 1 R1(config-if)#no vrrp 5 preempt
Authentication
VRRP supports plain text authentication. For security reasons, you can configure the same authentication on all VRRP-enabled routers.
To configure the authentication, you can use the below commands:
R1(config-if)#vrrp 5 authentication text MY_PASS
Further Reading
- HSRP vs VRRP | First-hop redundancy protocols
- HSRP – Hot Standby Routing Protocol
- Cisco ASA Configuration Backup using SCP, TFTP & ASDM
- Enable Telnet and SSH access to the Cisco ASA Firewall
- How to install Cisco ASAv Firewall in EVE-NG Simulator
- Cisco ASA: Security Levels and Zones Explained
Conclusion
In this article, we have discussed and configured VRRP on Cisco IOS routers. VRRP is an FHRP protocol that helps us with network redundancy and high availability. It is an open-source protocol available for non-Cisco devices as well. Like HSRP, it creates a Virtual Router with a Virtual IP & MAC address.
Did you find this article helpful? Please share it on social media platforms and show us some love 🙂