First Hop Redundancy Protocols Configuration Guide, Cisco IOS XE 17 (Cisco ASR 900 Series)
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns responsibility for one or
more virtual routers to the VRRP routers on a LAN, allowing several routers on a multiaccess link to utilize the same virtual
IP address. A VRRP router is configured to run the VRRP protocol in conjunction with one or more other routers attached to
a LAN. In a VRRP configuration, one router is elected as the virtual primary router, with the other routers acting as backups
in case the virtual primary router fails.
This module explains the concepts related to VRRP and describes how to configure VRRP in a network.
Restrictions for VRRP
VRRP is designed for use over multiaccess, multicast, or broadcast capable Ethernet LANs. VRRP is not intended as a replacement
for existing dynamic protocols.
VRRP is supported on Ethernet, Fast Ethernet, Bridge Group Virtual Interface (BVI), and Gigabit Ethernet interfaces, and
on Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs), VRF-aware MPLS VPNs, and VLANs.
Because of the forwarding delay that is associated with the initialization of a BVI interface, you must configure the VRRP
advertise timer to a value equal to or greater than the forwarding delay on the BVI interface. This setting prevents a VRRP
router on a recently initialized BVI interface from unconditionally taking over the primary role. Use the bridgeforward-time command to set the forwarding delay on the BVI interface. Use the vrrptimersadvertise command to set the VRRP advertisement timer.
Restrictions for VRRPv2 on Cisco RSP3 Module
Sub second timer (msec) is not supported for VRRPv2.
Bidirectional Forwarding Detection (BFD) is not supported for VRRPv2.
SSO and ISSU are not supported for VRRPv2.
Maximum of 8 Active FHRP groups are supported on RSP3 Module.
Maximum of 4 FHRP groups are supported per L3 interface(BDI-logical or Gig-physical) on RSP3 Module.
Information About VRRP
VRRP MAC Address
ASIC will be able to receive packets with the IPV4 Virtual MAC address
VRRP is supported on this MAC address: 00:00:5E:00:xx
VRRP Operation
There are several ways a LAN client can determine which router should be the first hop to a particular remote destination.
The client can use a dynamic process or static configuration. Examples of dynamic router discovery are as follows:
Proxy ARP—The client uses Address Resolution Protocol (ARP) to get the destination it wants to reach, and a router will respond
to the ARP request with its own MAC address.
Routing protocol—The client listens to dynamic routing protocol updates (for example, from Routing Information Protocol [RIP])
and forms its own routing table.
ICMP Router Discovery Protocol (IRDP) client—The client runs an Internet Control Message Protocol (ICMP) router discovery
client.
The drawback to dynamic discovery protocols is that they incur some configuration and processing overhead on the LAN client.
Also, in the event of a router failure, the process of switching to another router can be slow.
An alternative to dynamic discovery protocols is to statically configure a default router on the client. This approach simplifies
client configuration and processing, but creates a single point of failure. If the default gateway fails, the LAN client is
limited to communicating only on the local IP network segment and is cut off from the rest of the network.
VRRP can solve the static configuration problem. VRRP enables a group of routers to form a single
virtualrouter. The LAN clients can then be configured with the virtual router as their default gateway. The virtual router, representing
a group of routers, is also known as a VRRP group.
VRRP is supported on Ethernet, Fast Ethernet, BVI, and Gigabit Ethernet interfaces, and on MPLS VPNs, VRF-aware MPLS VPNs,
and VLANs.
The figure below shows a LAN topology in which VRRP is configured. In this example, Routers A, B, and C are VRRP routers
(routers running VRRP) that comprise a virtual router. The IP address of the virtual router is the same as that configured
for the Ethernet interface of Router A (10.0.0.1).
Because the virtual router uses the IP address of the physical Ethernet interface of Router A, Router A assumes the role
of the virtual router master and is also known as the IP address owner. As the virtual router master, Router A controls the
IP address of the virtual router and is responsible for forwarding packets sent to this IP address. Clients 1 through 3 are
configured with the default gateway IP address of 10.0.0.1.
Routers B and C function as virtual router backups. If the virtual router master fails, the router configured with the higher
priority will become the virtual router master and provide uninterrupted service for the LAN hosts. When Router A recovers,
it becomes the virtual router master again. For more detail on the roles that VRRP routers play and what happens if the virtual
router master fails, see the
VRRP Router Priority and Preemption
section.
The figure below shows a LAN topology in which VRRP is configured so that Routers A and B share the traffic to and from clients
1 through 4 and that Routers A and B act as virtual router backups to each other if either router fails.
In this topology, two virtual routers are configured. (For more information, see the
Multiple Virtual Router Support
section.) For virtual router 1, Router A is the owner of IP address 10.0.0.1 and virtual router master, and Router B is the
virtual router backup to Router A. Clients 1 and 2 are configured with the default gateway IP address of 10.0.0.1.
For virtual router 2, Router B is the owner of IP address 10.0.0.2 and virtual router master, and Router A is the virtual
router backup to Router B. Clients 3 and 4 are configured with the default gateway IP address of 10.0.0.2.
VRRP Benefits
Redundancy
VRRP enables you to
configure multiple routers as the default gateway router, which reduces the
possibility of a single point of failure in a network.
Load Sharing
You can configure
VRRP in such a way that traffic to and from LAN clients can be shared by
multiple routers, thereby sharing the traffic load more equitably among
available routers.
Multiple Virtual
Routers
VRRP supports up to 255 virtual routers (VRRP
groups) on a router and up to four virtual routers on every interface, subject
to the platform supporting multiple MAC addresses. Multiple virtual router
support enables you to implement redundancy and load sharing in your LAN
topology.
Multiple IP Addresses
The virtual router
can manage multiple IP addresses, including secondary IP addresses. Therefore,
if you have multiple subnets configured on an Ethernet interface, you can
configure VRRP on each subnet.
Preemption
The redundancy scheme of VRRP enables you to preempt a virtual router backup that has taken over for a failing virtual primary
router with a higher priority virtual router backup that has become available.
Authentication
VRRP message digest
5 (MD5) algorithm authentication protects against VRRP-spoofing software and
uses the industry-standard MD5 algorithm for improved reliability and security.
Advertisement
Protocol
VRRP uses a
dedicated Internet Assigned Numbers Authority (IANA) standard multicast address
(224.0.0.18) for VRRP advertisements. This addressing scheme minimizes the
number of routers that must service the multicasts and allows test equipment to
accurately identify VRRP packets on a segment. The IANA assigned VRRP the IP
protocol number 112.
VRRP Object Tracking
VRRP object tracking provides a way to ensure the best VRRP router is the virtual primary router for the group by altering
VRRP priorities to the status of tracked objects such as the interface or IP route states.
Multiple Virtual Router
Support
You can configure up to 255 virtual routers on a
router and up to four virtual routers on every interface. The actual number of
virtual routers that a router can support depends on the following factors:
Router processing
capability
Router memory
capability
Router interface
support of multiple MAC addresses
In a topology where multiple virtual routers are configured on a router interface, the interface can act as primary for one
virtual router and as a backup for one or more virtual routers.
VRRP Router Priority and Preemption
An important aspect of the VRRP redundancy scheme is VRRP router priority. Priority determines the role that each VRRP router
plays and what happens if the virtual primary router fails.
If a VRRP router owns the IP address of the virtual router and the IP address of the physical interface, this router will
function as a virtual primary router.
Priority also determines if a VRRP router functions as a virtual router backup and the order of ascendancy to becoming virtual
primary router if the virtual primary router fails. You can configure the priority of each virtual router backup with a value
of 1 through 254 using the vrrppriority command.
For example, if Router A, the virtual primary router in a LAN topology, fails, an election process takes place to determine
if virtual router backups B or C should take over. If Routers B and C are configured with the priorities of 101 and 100, respectively,
Router B is elected to become virtual primary router because it has the higher priority. If Routers B and C are both configured
with the priority of 100, the virtual router backup with the higher IP address is elected to become the virtual primary router.
By default, a preemptive scheme is enabled whereby a higher priority virtual router backup that becomes available takes over
for the virtual router backup that was elected to become virtual primary router. You can disable this preemptive scheme using
the novrrppreempt command. If preemption is disabled, the virtual router backup that is elected to become virtual primary router remains as
the primary until the original virtual primary router recovers and becomes the primary again.
VRRP Advertisements
The virtual primary router sends VRRP advertisements to other VRRP routers in the same group. The advertisements communicate
the priority and state of the virtual primary router. The VRRP advertisements are encapsulated in IP packets and sent to the
IP Version 4 multicast address assigned to the VRRP group. The advertisements are sent every second by default; the interval
is configurable.
Although the VRRP protocol as per RFC 3768 does not support millisecond timers, Cisco routers allow you to configure millisecond
timers. You need to manually configure the millisecond timer values on both the primary and the backup routers. The primary
advertisement value displayed in the showvrrp command output on the backup routers is always 1 second because the packets on the backup routers do not accept millisecond
values.
You must use
millisecond timers where absolutely necessary and with careful consideration
and testing. Millisecond values work only under favorable circumstances, and
you must be aware that the use of the millisecond timer values restricts VRRP
operation to Cisco devices only.
Note
Millisecond timer
value is not supported for VRRPv2 on RSP3 Module.
In Service Software
Upgrade--VRRP
Note
This section is not supported for VRRPv2 on ASR 900 RSP3 Module.
VRRP supports In
Service Software Upgrade (ISSU). In Service Software Upgrade (ISSU) allows a
high-availability (HA) system to run in stateful switchover (SSO) mode even
when different versions of
software are
running on the active and standby Route Processors (RPs) or line cards.
ISSU provides the
ability to upgrade or downgrade from one supported
release to
another while continuing to forward packets and maintain sessions, thereby
reducing planned outage time. The ability to upgrade or downgrade is achieved
by running different software versions on the active RP and standby RP for a
short period of time to maintain state information between RPs. This feature
allows the system to switch over to a secondary RP running upgraded (or
downgraded) software and continue forwarding packets without session loss and
with minimal or no packet loss. This feature is enabled by default.
For detailed
information about ISSU, see the In Service
Software Upgrade Process document in the
High
Availability Configuration Guide.
How to Configure VRRP
Customizing
VRRP
Customizing the behavior of VRRP is optional. Be aware that as soon as you enable a VRRP group, that group is operating.
It is possible that if you first enable a VRRP group before customizing VRRP, the router could take over control of the group
and become the virtual primary router before you have finished customizing the feature. Therefore, if you plan to customize
VRRP, it is a good idea to do so before enabling VRRP.
Procedure
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
interfacetypenumber
Example:
Router(config)#GigabitEthernet 0/0/0
Enters interface configuration mode.
Step 4
ipaddressip-addressmask
Example:
Router(config-if)# ip address 172.16.6.5 255.255.255.0
Configures the router to take over as virtual primary router for a VRRP group if it has a higher priority than the current
virtual primary router.
The default delay period is 0 seconds.
The router that is IP address owner will preempt, regardless of the setting of this command.
Step 8
vrrpgrouptimersadvertise [sec] interval
Example:
Router(config-if)# vrrp 10 timers advertise 110
Configures the interval between successive advertisements by the virtual primary router in a VRRP group.
The unit of the interval is in seconds unless the sec keyword is specified. The default interval value is 1 second.
Note
All routers in a VRRP group must use the same timer values. If the same timer values are not set, the routers in the VRRP
group will not communicate with each other and any misconfigured router will change its state to primary.
Step 9
vrrpgrouptimerslearn
Example:
Router(config-if)# vrrp 10 timers learn
Configures the router, when it is acting as virtual router backup for a VRRP group, to learn the advertisement interval used
by the virtual primary router.
Step 10
exit
Example:
Router(config-if)# exit
Exits interface configuration mode.
Step 11
novrrpsso
Example:
Router(config)# no vrrp sso
(Optional) Disables VRRP support of SSO.
VRRP support of SSO is enabled by default.
EnablingVerifying VRRP
Procedure
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
interfacetypenumber
Example:
Router(config)# interfaceGigabitEthernet 0/0/0
Enters interface configuration mode.
Step 4
ipaddressip-addressmask
Example:
Router(config-if)# ip address 172.16.6.5 255.255.255.0
Configures an IP address for an interface.
Step 5
vrrpgroupipip-address [secondary]
Example:
Router(config-if)# vrrp 10 ip 172.16.6.1
Enables VRRP on an interface.
After you identify a primary IP address, you can use the vrrpip command again with the secondary keyword to indicate additional IP addresses supported by this group.
Note
All routers in the VRRP group must be configured with the same primary address and a matching list of secondary addresses
for the virtual router. If different primary or secondary addresses are configured, the routers in the VRRP group will not
communicate with each other and any misconfigured router will change its state to primary.
Step 6
showvrrp [briefall] | interface]
Example:
Router(config-if)#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
BD10 1 100 9609 Y Backup 10.1.0.2 10.1.0.10
BD10 5 200 90218 Y Master 10.1.0.1 10.1.0.50
BD10 100 100 3609 Backup 10.1.0.2 10.1.0.100
(Optional) Displays a brief or detailed status of one or all VRRP groups on the router.
Step 7
showvrrpinterfacetypenumber [brief]
Example:
Router(config)# interfaceGigabitEthernet 0/0/0
Router)config-if)#show vrrp interface bdi10
BDI10 - Group 10
G1
State is Master
Virtual IP address is 10.0.0.5
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 10.000 sec
Preemption enabled, delay min 380 secs
Priority is 110
Master Router is 10.0.0.2 (local), priority is 110
Master Advertisement interval is 10.000 sec
Master Down interval is 30.570 sec
FLAGS: 1/1
(Optional) Displays the VRRP groups and their status on a specified interface.
Step 8
end
Example:
Router(config-if)# end
Returns to privileged EXEC mode.
Disabling a VRRP Group on an Interface
Disabling a VRRP group on an interface allows the protocol to be disabled, but the configuration to be retained. This ability
was added with the introduction of the VRRP MIB, RFC 2787, Definitions of Managed Objects for the Virtual Router Redundancy Protocol .
You can use a Simple Network Management Protocol (SNMP) management tool to enable or disable VRRP on an interface. Because
of the SNMP management capability, the vrrpshutdown command was introduced to represent a method via the command line interface (CLI) for VRRP to show the state that had been
configured using SNMP.
When the showrunning-config command is entered, you can see immediately if the VRRP group has been configured and set to enabled or disabled. This is
the same functionality that is enabled within the MIB.
The no form of the command enables the same operation that is performed within the MIB. If the vrrpshutdown command is specified using the SNMP interface, then entering the novrrpshutdown command reenables the VRRP group.
Procedure
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
interfacetypenumber
Example:
Router(config)# interfaceGigabitEthernet 0/0/0
Enters interface configuration mode.
Step 4
ipaddressip-addressmask
Example:
Router(config-if)# ip address 172.16.6.5 255.255.255.0
Configures an IP address for an interface.
Step 5
vrrpgroupshutdown
Example:
Router(config-if)# vrrp 10 shutdown
Disables the VRRP group on an interface.
The command is now visible on the router.
Note
You can have one VRRP group disabled, while retaining its configuration, and a different VRRP group enabled.
Configuring VRRP Text Authentication
Before you begin
Interoperability with vendors that may have implemented the RFC 2338 method is not enabled.
Text authentication cannot be combined with MD5 authentication for a VRRP group at any one time. When MD5 authentication
is configured, the text authentication field in VRRP hello messages is set to all zeros on transmit and ignored on receipt,
provided the receiving router also has MD5 authentication enabled.
Configures an interface type and enters interface configuration mode.
Step 4
ipaddressip-addressmask [secondary]
Example:
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Specifies a primary or secondary IP address for an interface.
Step 5
vrrpgroupauthenticationtexttext-string
Example:
Router(config-if)# vrrp 1 authentication text textstring1
Authenticates VRRP packets received from other routers in the group.
If you configure authentication, all routers within the VRRP group must use the same authentication string.
The default string is cisco.
Note
All routers within the VRRP group must be configured with the same authentication string. If the same authentication string
is not configured, the routers in the VRRP group will not communicate with each other and any misconfigured router will change
its state to primary.
Step 6
vrrpgroupipip-address
Example:
Router(config-if)# vrrp 1 ip 10.0.1.20
Enables VRRP on an interface and identifies the IP address of the virtual router.
Step 7
Repeat Steps 1 through 6 on each router that will communicate.
—
Step 8
end
Example:
Router(config-if)# end
Returns to privileged EXEC mode.
Enabling the Router to Send SNMP VRRP Notifications
The VRRP MIB supports SNMP Get operations, which allow network devices to get reports about VRRP groups in a network from
the network management station.
Enabling VRRP MIB trap support is performed through the CLI, and the MIB is used for getting the reports. A trap notifies
the network management station when a router becomes a Master or backup router. When an entry is configured from the CLI,
the RowStatus for that group in the MIB immediately goes to the active state.
Procedure
Step 1
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2
configureterminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3
snmp-serverenabletrapsvrrp
Example:
Router(config)#
snmp-server enable traps vrrp
Enables the router to send SNMP VRRP notifications (traps and informs).
Step 4
snmp-serverhosthostcommunity-stringvrrp
Example:
Router(config)#
snmp-server host myhost.comp.com public vrrp
Specifies the recipient of an SNMP notification operation.
Configuring VRRP v3 for IPV4
Fhrp version vrrp v3
Int bdi< >
Vrrp 1 address-family ipv4
Priority 190
Preempt delay minimum 10
Address <ipv4-address> primary
Configuration Examples for VRRPv2
Example: Configuring VRRP
In the following example, Router A and Router B each belong to three VRRP groups.
In the configuration, each group has the following properties:
Group 1:
Virtual IP address is 10.1.0.10.
Router A will become the primary for this group with priority 120.
Advertising interval is 3 seconds.
Preemption is enabled.
Group 5:
Router B will become the primary for this group with priority 200.
Advertising interval is 30 seconds.
Preemption is enabled.
Group 100:
Router A will become the primary for this group first because it has a higher IP address (10.1.0.2).
The following example shows how to configure VRRP text authentication using a text string:
Router(config)#GigabitEthernet 0/0/0interface GigabitEthernet 0/0/0
Router(config)# ip address 10.21.8.32 255.255.255.0
Router(config-if)# vrrp 10 authentication text stringxyz
Router(config-if)# vrrp 10 ip 10.21.8.10
Example: Disabling a VRRP Group on an Interface
The following example shows how to disable one VRRP group on GigabitEthernet interface 0/0/0 while retaining VRRP for group 2 on the on GigabitEthernet interface 1/0/0:
Router(config)#GigabitEthernet 0/0/0interface GigabitEthernet 0/0/0
Router(config-if)# ip address 10.24.1.1 255.255.255.0
Router(config-if)# vrrp 1 ip 10.24.1.254
Router(config-if)# vrrp 1 shutdown
Router(config-if)# exit
Router(config)# GigabitEthernet 0/0/0interface GigabitEthernet 1/0/0
Router(config-if)# ip address 10.168.42.1 255.255.255.0
Router(config-if)# vrrp 2 ip 10.168.42.254
The following example shows how to configure VRRP BFD peer.
Router#config terminal
/* Enter configuration commands, one per line. End with CNTL/Z. */
Router(config)#int bdi 101
Router(config-if)#ip add 99.97.5.2 255.255.255.0
Router(config-if)#bfd template 100ms
Router(config-if)#vrrp 105 address-family ipv4
Router(config-if-vrrp)#address 99.97.5.200 primary
Router(config-if-vrrp)#priority 200
Router(config-if-vrrp)#bfd ?
peer BFD peer configuration
Router(config-if-vrrp)#bfd peer ?
A.B.C.D IP address
Router(config-if-vrrp)#bfd peer 99.97.5.1
Router(config-if-vrrp)#end
Verifying VRRP BFD Peer
To verify the BFD peering information, use the following command in EXEC mode. Also, you can use the show vrrp neighbor command to list the number of sessions per neighbor basis.
Router#show vrrp bfd
Interface Grp A-F Handle Reference Peer address State
BD51 103 IPv4 1 1 99.97.3.1 UP
BD76 104 IPv4 2 1 99.97.4.1 UP
BD101 105 IPv4 3 1 99.97.5.1 UP
BD126 106 IPv4 4 1 99.97.6.1 UP
Router#show vrrp bfd bdi101
Interface Grp A-F Handle Reference Peer address State
BD101 105 IPv4 3 1 99.97.5.1 UP
Example: Configuring VRRP IPv6 Link Local Groups
The following example shows how to configure VRRP IPv6 link local groups.
To verify the IPv6 link local group information, use the following command in EXEC mode:
Router#show vrrp brief
Interface Grp A-F Pri Time Own Pre State Master addr/Group addr
BD2 1 IPv6 200 0 N Y MASTER FE80::3(local) FE80::100
Router#show vrrp bfd
Interface Grp A-F Handle Reference Peer address State
BD2 1 IPv6 2 1 FE80::4 UP
Example: Configuring VRRP for Global IPv6 Groups
The following example shows how to configure VRRP for global IPv6 groups.
To verify the global IPv6 information, use the following command in EXEC mode:
Router#show vrrp brief
Interface Grp A-F Pri Time Own Pre State Master addr/Group addr
BD3 1 IPv6 100 0 N Y MASTER FE80::1:2(local) FE80::1:100
Router#show vrrp bfd
Interface Grp A-F Handle Reference Peer address State
BD3 1IPv6 4 1 27::3 UP