Configuring VRRP
The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns responsibility for one or more virtual routers to the VRRP routers on a LAN, allowing several routers on a multiaccess link to utilize the same virtual IP address. A VRRP router is configured to run the VRRP protocol in conjunction with one or more other routers attached to a LAN. In a VRRP configuration, one router is elected as the virtual router master, with the other routers acting as backups in case the virtual router master fails.
This module explains the concepts related to VRRP and describes how to configure VRRP in a network.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for VRRP
- VRRP is designed for use over multiaccess, multicast, or broadcast capable Ethernet LANs. VRRP is not intended as a replacement for existing dynamic protocols.
- VRRP is supported on Ethernet, Fast Ethernet, Bridge Group Virtual Interface (BVI), and Gigabit Ethernet interfaces, and on Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs), VRF-aware MPLS VPNs, and VLANs.
- Because of the forwarding delay that is associated with the initialization of a BVI interface, you must configure the VRRP advertise timer to a value equal to or greater than the forwarding delay on the BVI interface. This setting prevents a VRRP router on a recently initialized BVI interface from unconditionally taking over the master role. Use the bridge forward-time command to set the forwarding delay on the BVI interface. Use the vrrp timers advertise command to set the VRRP advertisement timer.
- Enhanced Object Tracking (EOT) is not stateful switchover (SSO)-aware and cannot be used with VRRP in SSO mode.
Information About VRRP
- VRRP Operation
- VRRP Benefits
- Multiple Virtual Router Support
- VRRP Router Priority and Preemption
- VRRP Advertisements
- VRRP Object Tracking
- How Object Tracking Affects the Priority of a VRRP Router
- VRRP Support for Stateful Switchover
VRRP Operation
There are several ways a LAN client can determine which router should be the first hop to a particular remote destination. The client can use a dynamic process or static configuration. Examples of dynamic router discovery are as follows:
- Proxy ARP--The client uses Address Resolution Protocol (ARP) to get the destination it wants to reach, and a router will respond to the ARP request with its own MAC address.
- Routing protocol--The client listens to dynamic routing protocol updates (for example, from Routing Information Protocol [RIP]) and forms its own routing table.
- ICMP Router Discovery Protocol (IRDP) client--The client runs an Internet Control Message Protocol (ICMP) router discovery client.
The drawback to dynamic discovery protocols is that they incur some configuration and processing overhead on the LAN client. Also, in the event of a router failure, the process of switching to another router can be slow.
An alternative to dynamic discovery protocols is to statically configure a default router on the client. This approach simplifies client configuration and processing, but creates a single point of failure. If the default gateway fails, the LAN client is limited to communicating only on the local IP network segment and is cut off from the rest of the network.
VRRP can solve the static configuration problem. VRRP enables a group of routers to form a single virtual router. The LAN clients can then be configured with the virtual router as their default gateway. The virtual router, representing a group of routers, is also known as a VRRP group.
VRRP is supported on Ethernet, Fast Ethernet, BVI, and Gigabit Ethernet interfaces, and on MPLS VPNs, VRF-aware MPLS VPNs, and VLANs.
The figure below shows a LAN topology in which VRRP is configured. In this example, Routers A, B, and C are VRRP routers (routers running VRRP) that comprise a virtual router. The IP address of the virtual router is the same as that configured for the Ethernet interface of Router A (10.0.0.1).
| Figure 1 | Basic VRRP Topology |
Because the virtual router uses the IP address of the physical Ethernet interface of Router A, Router A assumes the role of the virtual router master and is also known as the IP address owner. As the virtual router master, Router A controls the IP address of the virtual router and is responsible for forwarding packets sent to this IP address. Clients 1 through 3 are configured with the default gateway IP address of 10.0.0.1.
Routers B and C function as virtual router backups. If the virtual router master fails, the router configured with the higher priority will become the virtual router master and provide uninterrupted service for the LAN hosts. When Router A recovers, it becomes the virtual router master again. For more detail on the roles that VRRP routers play and what happens if the virtual router master fails, see the VRRP Router Priority and Preemption section.
The figure below shows a LAN topology in which VRRP is configured so that Routers A and B share the traffic to and from clients 1 through 4 and that Routers A and B act as virtual router backups to each other if either router fails.
| Figure 2 | Load Sharing and Redundancy VRRP Topology |
In this topology, two virtual routers are configured. (For more information, see the Multiple Virtual Router Support section.) For virtual router 1, Router A is the owner of IP address 10.0.0.1 and virtual router master, and Router B is the virtual router backup to Router A. Clients 1 and 2 are configured with the default gateway IP address of 10.0.0.1.
For virtual router 2, Router B is the owner of IP address 10.0.0.2 and virtual router master, and Router A is the virtual router backup to Router B. Clients 3 and 4 are configured with the default gateway IP address of 10.0.0.2.
VRRP Benefits
Redundancy
VRRP enables you to configure multiple routers as the default gateway router, which reduces the possibility of a single point of failure in a network.
Load Sharing
You can configure VRRP in such a way that traffic to and from LAN clients can be shared by multiple routers, thereby sharing the traffic load more equitably among available routers.
Multiple Virtual Routers
VRRP supports up to 255 virtual routers (VRRP groups) on a router physical interface, subject to the platform supporting multiple MAC addresses. Multiple virtual router support enables you to implement redundancy and load sharing in your LAN topology.
Multiple IP Addresses
The virtual router can manage multiple IP addresses, including secondary IP addresses. Therefore, if you have multiple subnets configured on an Ethernet interface, you can configure VRRP on each subnet.
Preemption
The redundancy scheme of VRRP enables you to preempt a virtual router backup that has taken over for a failing virtual router master with a higher priority virtual router backup that has become available.
Authentication
VRRP message digest 5 (MD5) algorithm authentication protects against VRRP-spoofing software and uses the industry-standard MD5 algorithm for improved reliability and security.
Advertisement Protocol
VRRP uses a dedicated Internet Assigned Numbers Authority (IANA) standard multicast address (224.0.0.18) for VRRP advertisements. This addressing scheme minimizes the number of routers that must service the multicasts and allows test equipment to accurately identify VRRP packets on a segment. The IANA assigned VRRP the IP protocol number 112.
VRRP Object Tracking
VRRP object tracking provides a way to ensure the best VRRP router is the virtual router master for the group by altering VRRP priorities to the status of tracked objects such as the interface or IP route states.
Multiple Virtual Router Support
You can configure up to 255 virtual routers on a router physical interface. The actual number of virtual routers that a router interface can support depends on the following factors:
- Router processing capability
- Router memory capability
- Router interface support of multiple MAC addresses
In a topology where multiple virtual routers are configured on a router interface, the interface can act as a master for one virtual router and as a backup for one or more virtual routers.
VRRP Router Priority and Preemption
An important aspect of the VRRP redundancy scheme is VRRP router priority. Priority determines the role that each VRRP router plays and what happens if the virtual router master fails.
If a VRRP router owns the IP address of the virtual router and the IP address of the physical interface, this router will function as a virtual router master.
Priority also determines if a VRRP router functions as a virtual router backup and the order of ascendancy to becoming a virtual router master if the virtual router master fails. You can configure the priority of each virtual router backup with a value of 1 through 254 using the vrrp priority command.
For example, if Router A, the virtual router master in a LAN topology, fails, an election process takes place to determine if virtual router backups B or C should take over. If Routers B and C are configured with the priorities of 101 and 100, respectively, Router B is elected to become virtual router master because it has the higher priority. If Routers B and C are both configured with the priority of 100, the virtual router backup with the higher IP address is elected to become the virtual router master.
By default, a preemptive scheme is enabled whereby a higher priority virtual router backup that becomes available takes over for the virtual router backup that was elected to become virtual router master. You can disable this preemptive scheme using the no vrrp preempt command. If preemption is disabled, the virtual router backup that is elected to become virtual router master remains the master until the original virtual router master recovers and becomes master again.
VRRP Advertisements
The virtual router master sends VRRP advertisements to other VRRP routers in the same group. The advertisements communicate the priority and state of the virtual router master. The VRRP advertisements are encapsulated in IP packets and sent to the IP Version 4 multicast address assigned to the VRRP group. The advertisements are sent every second by default; the interval is configurable.
Although the VRRP protocol as per RFC 3768 does not support millisecond timers, Cisco routers allow you to configure millisecond timers. You need to manually configure the millisecond timer values on both the primary and the backup routers. The master advertisement value displayed in the show vrrp command output on the backup routers is always 1 second because the packets on the backup routers do not accept millisecond values.
You must use millisecond timers where absolutely necessary and with careful consideration and testing. Millisecond values work only under favorable circumstances, and you must be aware that the use of the millisecond timer values restricts VRRP operation to Cisco devices only.
VRRP Object Tracking
Object tracking is an independent process that manages creating, monitoring, and removing tracked objects such as the state of the line protocol of an interface. Clients such as the Hot Standby Router Protocol (HSRP), Gateway Load Balancing Protocol (GLBP), and VRRP register their interest with specific tracked objects and act when the state of an object changes.
Each tracked object is identified by a unique number that is specified on the tracking CLI. Client processes such as VRRP use this number to track a specific object.
The tracking process periodically polls the tracked objects and notes any change of value. The changes in the tracked object are communicated to interested client processes, either immediately or after a specified delay. The object values are reported as either up or down.
VRRP object tracking gives VRRP access to all the objects available through the tracking process. The tracking process provides the ability to track individual objects such as a the state of an interface line protocol, state of an IP route, or the reachability of a route.
VRRP provides an interface to the tracking process. Each VRRP group can track multiple objects that may affect the priority of the VRRP router. You specify the object number to be tracked and VRRP will be notified of any change to the object. VRRP increments (or decrements) the priority of the virtual router based on the state of the object being tracked.
How Object Tracking Affects the Priority of a VRRP Router
The priority of a device can change dynamically if it has been configured for object tracking and the object that is being tracked goes down. The tracking process periodically polls the tracked objects and notes any change of value. The changes in the tracked object are communicated to VRRP, either immediately or after a specified delay. The object values are reported as either up or down. Examples of objects that can be tracked are the line protocol state of an interface or the reachability of an IP route. If the specified object goes down, the VRRP priority is reduced. The VRRP router with the higher priority can now become the virtual router master if it has the vrrp preempt command configured. See the VRRP Object Tracking section for more information on object tracking.
VRRP Support for Stateful Switchover
With the introduction of the VRRP Support for Stateful Switchover feature, VRRP is SSO aware. VRRP can detect when a router is failing over to the secondary RP and continue in its current group state.
SSO functions in networking devices (usually edge devices) that support dual Route Processors (RPs). SSO provides RP redundancy by establishing one of the RPs as the active processor and the other RP as the standby processor. SSO also synchronizes critical state information between the RPs so that network state information is dynamically maintained between RPs.
Prior to being SSO aware, if VRRP was deployed on a router with redundant RPs, a switchover of roles between the active RP and the standby RP would result in the router relinquishing its activity as a VRRP group member and then rejoining the group as if it had been reloaded. The SSO--VRRP feature enables VRRP to continue its activities as a group member during a switchover. VRRP state information between redundant RPs is maintained so that the standby RP can continue the router's activities within the VRRP during and after a switchover.
This feature is enabled by default. To disable this feature, use the no vrrp sso command in global configuration mode.
For more information, see the Stateful Switchover document.
How to Configure VRRP
- Customizing VRRP
- Enabling VRRP
- Configuring VRRP Object Tracking
- Configuring VRRP Text Authentication
Customizing VRRP
Customizing the behavior of VRRP is optional. Be aware that as soon as you enable a VRRP group, that group is operating. It is possible that if you first enable a VRRP group before customizing VRRP, the router could take over control of the group and become the virtual router master before you have finished customizing the feature. Therefore, if you plan to customize VRRP, it is a good idea to do so before enabling VRRP.
DETAILED STEPS
Enabling VRRP
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
|
Example: Router> enable |
Enables privileged EXEC mode. |
||
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
||
|
|
Example: Router(config)# interface GigabitEthernet 0/0/0 |
Enters interface configuration mode. |
||
|
|
Example: Router(config-if)# ip address 172.16.6.5 255.255.255.0 |
Configures an IP address for an interface. | ||
|
|
Example: Router(config-if)# vrrp 10 ip 172.16.6.1 |
Enables VRRP on an interface.
|
||
|
|
Example: Router(config-if)# end |
Returns to privileged EXEC mode. |
||
|
|
Example: Router# show vrrp 10 |
(Optional) Displays a brief or detailed status of one or all VRRP groups on the router. |
||
|
|
Example: Router# show vrrp interface GigabitEthernet 0/0/0 |
(Optional) Displays the VRRP groups and their status on a specified interface. |
Configuring VRRP Object Tracking
 Note |
If a VRRP group is the IP address owner, its priority is fixed at 255 and cannot be reduced through object tracking. |
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
|
Example: Router> enable |
Enables privileged EXEC mode. |
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
|
Example: Router(config)# track 2 interface serial 6 line-protocol |
Configures an interface to be tracked where changes in the state of the interface affect the priority of a VRRP group.
|
|
|
Example: Router(config)# interface Ethernet 2 |
Enters interface configuration mode. |
|
|
Example: Router(config-if)# vrrp 1 ip 10.0.1.20 |
Enables VRRP on an interface and identifies the IP address of the virtual router. |
|
|
Example: Router(config-if)# vrrp 1 priority 120 |
Sets the priority level of the router within a VRRP group. |
|
|
Example: Router(config-if)# vrrp 1 track 2 decrement 15 |
Configures VRRP to track an object. |
|
|
Example: Router(config-if)# end |
Returns to privileged EXEC mode. |
|
|
Example: Router# show track 1 |
Displays tracking information. |
Configuring VRRP Text Authentication
Interoperability with vendors that may have implemented the RFC 2338 method is not enabled.
Text authentication cannot be combined with MD5 authentication for a VRRP group at any one time. When MD5 authentication is configured, the text authentication field in VRRP hello messages is set to all zeros on transmit and ignored on receipt, provided the receiving router also has MD5 authentication enabled.
DETAILED STEPS
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
|
Example: Router> enable |
Enables privileged EXEC mode. |
||
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
||
|
|
Example: Router(config)# interface Ethernet 0/1 |
Configures an interface type and enters interface configuration mode. |
||
|
|
Example: Router(config-if)# ip address 10.0.0.1 255.255.255.0 |
Specifies a primary or secondary IP address for an interface. |
||
|
|
Example: Router(config-if)# vrrp 1 authentication text textstring1 |
Authenticates VRRP packets received from other routers in the group.
|
||
|
|
Example: Router(config-if)# vrrp 1 ip 10.0.1.20 |
Enables VRRP on an interface and identifies the IP address of the virtual router. |
||
|
|
|
-- |
||
|
|
Example: Router(config-if)# end |
Returns to privileged EXEC mode. |
Configuration Examples for VRRP
- Example: Configuring VRRP
- Example: VRRP Object Tracking
- Example: VRRP Object Tracking Verification
- Example: VRRP Text Authentication
Example: Configuring VRRP
In the following example, Router A and Router B each belong to three VRRP groups.
In the configuration, each group has the following properties:
Router A
Router(config)# interface GigabitEthernet 1/0/0 Router(config-if)# ip address 10.1.0.2 255.0.0.0 Router(config-if)# vrrp 1 priority 120 Router(config-if)# vrrp 1 authentication cisco Router(config-if)# vrrp 1 timers advertise 3 Router(config-if)# vrrp 1 timers learn Router(config-if)# vrrp 1 ip 10.1.0.10 Router(config-if)# vrrp 5 priority 100 Router(config-if)# vrrp 5 timers advertise 30 Router(config-if)# vrrp 5 timers learn Router(config-if)# vrrp 5 ip 10.1.0.50 Router(config-if)# vrrp 100 timers learn Router(config-if)# no vrrp 100 preempt Router(config-if)# vrrp 100 ip 10.1.0.100 Router(config-if)# no shutdown
Router B
Router(config)# interface GigabitEthernet 1/0/0 Router(config-if)# ip address 10.1.0.1 255.0.0.0 Router(config-if)# vrrp 1 priority 100 Router(config-if)# vrrp 1 authentication cisco Router(config-if)# vrrp 1 timers advertise 3 Router(config-if)# vrrp 1 timers learn Router(config-if)# vrrp 1 ip 10.1.0.10 Router(config-if)# vrrp 5 priority 200 Router(config-if)# vrrp 5 timers advertise 30 Router(config-if)# vrrp 5 timers learn Router(config-if)# vrrp 5 ip 10.1.0.50 Router(config-if)# vrrp 100 timers learn Router(config-if)# no vrrp 100 preempt Router(config-if)# vrrp 100 ip 10.1.0.100 Router(config-if)# no shutdown
Example: VRRP Object Tracking
In the following example, the tracking process is configured to track the state of the line protocol on serial interface 0/1. VRRP on Ethernet interface 1/0 then registers with the tracking process to be informed of any changes to the line protocol state of serial interface 0/1. If the line protocol state on serial interface 0/1 goes down, then the priority of the VRRP group is reduced by 15.
Router(config)# track 1 interface Serial 0/1 line-protocol Router(config-track)# exit Router(config)# interface Ethernet 1/0 Router(config-if)# ip address 10.0.0.2 255.0.0.0 Router(config-if)# vrrp 1 ip 10.0.0.3 Router(config-if)# vrrp 1 priority 120 Router(config-if)# vrrp 1 track 1 decrement 15
Example: VRRP Object Tracking Verification
The following examples verify the configuration shown in the Example: VRRP Object Tracking section:
Router# show vrrp Ethernet1/0 - Group 1 State is Master Virtual IP address is 10.0.0.3 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption is enabled min delay is 0.000 sec Priority is 105 Track object 1 state Down decrement 15 Master Router is 10.0.0.2 (local), priority is 105 Master Advertisement interval is 1.000 sec Master Down interval is 3.531 sec Router# show track Track 1 Interface Serial0/1 line-protocol Line protocol is Down (hw down) 1 change, last change 00:06:53 Tracked by: VRRP Ethernet1/0 1
Example: VRRP Text Authentication
The following example shows how to configure VRRP text authentication using a text string:
Router(config)# interface GigabitEthernet 0/0/0 Router(config)# ip address 10.21.8.32 255.255.255.0 Router(config-if)# vrrp 10 authentication text stringxyz Router(config-if)# vrrp 10 ip 10.21.8.10
Additional References
Related Documents
| Related Topic |
Document Title |
|---|---|
| Cisco IOS commands |
|
| VRRP commands |
Cisco IOS IP Application Services Command Reference |
| Object tracking |
Configuring Enhanced Object Tracking |
| Hot Standby Routing Protocol (HSRP) |
Configuring HSRP |
| In Service Software Upgrace (ISSU) |
"Cisco IOS In Service Software Upgrade Process" in the Cisco IOSHigh Availability Configuration Guide |
| Gateway Load Balancing Protocol (GLBP) |
Configuring GLBP |
| Stateful Switchover |
The Stateful Switchover section in the Cisco IOS High Availability Configuration Guide |
Standards
| Standards |
Title |
|---|---|
| No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIBs
| MIBs |
MIBs Link |
|---|---|
| VRRP MIB |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
| RFCs |
Title |
|---|---|
| RFC 2338 |
|
| RFC 2787 |
Definitions of Managed Objects for the Virtual Router Redundancy Protocol |
| RFC 3768 |
Technical Assistance
| Description |
Link |
|---|---|
| The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for VRRP
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
| Table 1 | Feature Information for VRRP |
| Feature Name |
Releases |
Feature Information |
|---|---|---|
| SSO--VRRP |
12.2(50)SY |
VRRP is now SSO aware. VRRP can detect when a router is failing over to the secondary RP and continue in its current VRRP group state. This feature is enabled by default. The following commands were introduced or modified by this feature: debug vrrp ha, show vrrp.vrrp sso. |
| Virtual Router Redundancy Protocol |
12.2(50)SY |
VRRP enables a group of routers to form a single virtual router to provide redundancy. The LAN clients can then be configured with the virtual router as their default gateway. The virtual router, representing a group of routers, is also known as a VRRP group. The following commands were introduced by this feature: debug vrrp all, debug vrrp error, debug vrrp events, debug vrrp packets, debug vrrp state, show vrrp, show vrrp interface, vrrp authentication, vrrp description, vrrp ip, vrrp preempt, vrrp priority, vrrp timers advertise, vrrp timers learn. |
| VRRP Object Tracking |
12.2(50)SY |
The VRRP Object Tracking feature extends the capabilities of the VRRP to allow tracking of specific objects within the router that can alter the priority level of a virtual router for a VRRP group. The following commands were introduced or modified by this feature: show track, vrrp track. |
Glossary
virtual IP address owner --The VRRP router that owns the IP address of the virtual router. The owner is the router that has the virtual router address as its physical interface address.
virtual router --One or more VRRP routers that form a group. The virtual router acts as the default gateway router for LAN clients. Also known as a VRRP group.
virtual router backup --One or more VRRP routers that are available to assume the role of forwarding packets if the virtual router master fails.
virtual router master --The VRRP router that is currently responsible for forwarding packets sent to the IP addresses of the virtual router. Usually the virtual router master also functions as the IP address owner.
VRRP router --A router that is running VRRP.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Feedback