The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure the Virtual Router Redundancy Protocol (VRRP) on a switch
VRRP allows for transparent failover at the first-hop IP router, by configuring a group of routers to share a virtual IP address. VRRP selects a master router in that group to handle all packets for the virtual IP address. The remaining routers are in standby and take over if the master router fails.
This section includes the following topics:
A LAN client can determine which router should be the first hop to a particular remote destination by using a dynamic process or static configuration. Examples of dynamic router discovery are as follows:
The disadvantage to dynamic discovery protocols is that they incur some configuration and processing overhead on the LAN client. Also, in the event of a router failure, the process of switching to another router can be slow.
An alternative to dynamic discovery protocols is to statically configure a default router on the client. Although, this approach simplifies client configuration and processing, it creates a single point of failure. If the default gateway fails, the LAN client is limited to communicating only on the local IP network segment and is cut off from the rest of the network.
VRRP can solve the static configuration problem by enabling a group of routers (a VRRP group) to share a single virtual IP address. You can then configure the LAN clients with the virtual IP address as their default gateway.
Figure 19-1 shows a basic VLAN topology. In this example, Routers A, B, and C form a VRRP group. The IP address of the group is the same address that was configured for the Ethernet interface of Router A (10.0.0.1).
Figure 19-1 Basic VRRP Topology
Because the virtual IP address uses the IP address of the physical Ethernet interface of Router A, Router A is the master (also known as the IP address owner). As the master, Router A owns the virtual IP address of the VRRP group router and forwards packets sent to this IP address. Clients 1 through 3 are configured with the default gateway IP address of 10.0.0.1.
Routers B and C function as backups. If the master fails, the backup router with the highest priority becomes the master and takes over the virtual IP address to provide uninterrupted service for the LAN hosts. When router A recovers, it becomes the router master again. For more information, see the “VRRP Router Priority and Preemption” section.
Note Packets received on a routed port destined for the VRRP virtual IP address will terminate on the local router, regardless of whether that router is the master VRRP router or a backup VRRP router. This includes ping and telnet traffic. Packets received on a Layer 2 (VLAN) interface destined for the VRRP virtual IP address will terminate on the master router.
The benefits of VRRP are as follows:
You can configure up to 255 VRRP groups on a physical interface. The actual number of VRRP groups that a router interface can support depends on the following factors:
In a topology where multiple VRRP groups are configured on a router interface, the interface can act as a master for one VRRP group and as a backup for one or more other VRRP groups.
Figure 19-2 shows a LAN topology in which VRRP is configured so that Routers A and B share the traffic to and from clients 1 through 4. Routers A and B act as backups to each other if either router fails.
Figure 19-2 Load Sharing and Redundancy VRRP Topology
This topology contains two virtual IP addresses for two VRRP groups that overlap. For VRRP group 1, Router A is the owner of IP address 10.0.0.1 and is the master. Router B is the backup to router A. Clients 1 and 2 are configured with the default gateway IP address of 10.0.0.1.
For VRRP group 2, Router B is the owner of IP address 10.0.0.2 and is the master. Router A is the backup to router B. Clients 3 and 4 are configured with the default gateway IP address of 10.0.0.2.
An important aspect of the VRRP redundancy scheme is the VRRP router priority because the priority determines the role that each VRRP router plays and what happens if the master router fails.
If a VRRP router owns the virtual IP address and the IP address of the physical interface, this router functions as the master. The priority of the master is 255.
Priority also determines if a VRRP router functions as a backup router and the order of ascendancy to becoming a master if the master fails.
For example, if router A, the master in a LAN topology fails, VRRP must determine if backups B or C should take over. If you configure router B with priority 101 and router C with the default priority of 100, VRRP selects router B to become the master because it has the higher priority. If you configure routers B and C with the default priority of 100, VRRP selects the backup with the higher IP address to become the master.
VRRP uses preemption to determine what happens after a VRRP backup router becomes the master. With preemption enabled by default, VRRP will switch to a backup if that backup comes online with a priority higher than the new master. For example, if Router A is the master and fails, VRRP selects Router B (next in order of priority). If Router C comes online with a higher priority than Router B, VRRP selects Router C as the new master, even though Router B has not failed.
If you disable preemption, VRRP will only switch if the original master recovers or the new master fails.
VRRP supports bidirectional forwarding detection (BFD). BFD is a detection protocol that provides fast forwarding-path failure detection times. BFD provides subsecond failure detection between two adjacent devices and can be less CPU-intensive than protocol hello messages because some of the BFD load can be distributed onto the data plane on supported modules. See the Cisco Nexus 5500 Series NX-OS Interfaces Configuration Guide, Release 6.0 for more information.
VRRP interoperates with virtual port channels (vPCs). vPCs allow links that are physically connected to two different Cisco Nexus 5500 switches to appear as a single port channel by a third switch. See the Cisco Nexus 5500 Series NX-OS Layer 2 Switching Configuration Guide, Release 6.0, for more information on vPCs.
A vPC forwards traffic through both the master VRRP router as well as the backup VRRP router. You can configure a threshold on the priority of the backup VRRP router to determine when traffic should failover to the vPC trunk. See the “Configuring VRRP Priority” section.
Note You should configure VRRP on the primary vPC peer switch as active and VRRP on the vPC secondary switch as standby.
The VRRP master sends VRRP advertisements to other VRRP routers in the same group. The advertisements communicate the priority and state of the master. Cisco NX-OS encapsulates the VRRP advertisements in IP packets and sends them to the IP multicast address assigned to the VRRP group. Cisco NX-OS sends the advertisements once every second by default, but you can configure a different advertisement interval.
VRRP supports the following two options for tracking:
If the tracked state (interface or object) goes down, VRRP updates the priority based on what you configure the new priority to be for the tracked state. When the tracked state comes up, VRRP restores the original priority for the virtual router group.
For example, you may want to lower the priority of a VRRP group member if its uplink to the network goes down so another group member can take over as master for the VRRP group. See the “Configuring VRRP Interface State Tracking” section for more information.
Note VRRP does not support Layer 2 interface tracking.
VRRP supports Virtual Routing and Forwarding instances (VRFs). By default, Cisco NX-OS places you in the default VRF unless you specifically configure another VRF.
If you change the VRF membership of an interface, Cisco NX-OS removes all Layer 3 configuration, including VRRP.
For more information, see Chapter12, “Configuring Layer 3 Virtualization”
The following table shows the licensing requirements for this feature:
VRRP has the following configuration guidelines and limitations:
Table 19-1 lists the default settings for VRRP parameters.
|
|
---|---|
This section includes the following topics:
Note If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.
You must globally enable the VRRP feature before you can configure and enable any VRRP groups.
To enable the VRRP feature, use the following command in global configuration mode:
|
|
---|---|
To disable the VRRP feature and remove all associated configuration, use the following command in global configuration mode:
|
|
---|---|
You can create a VRRP group, assign the virtual IP address, and enable the group.
You can configure one virtual IPv4 address for a VRRP group. By default, the master VRRP router drops the packets addressed directly to the virtual IP address because the VRRP master is only intended as a next-hop router to forward packets. Some applications require that Cisco NX-OS accept packets addressed to the virtual router IP. Use the secondary option to the virtual IP address to accept these packets when the local router is the VRRP master.
Once you have configured the VRRP group, you must explicitly enable the group before it becomes active.
Ensure that you configure an IP address on the interface (see the “Configuring IPv4 Addressing” section.
2. interface interface-type slot/port
The valid priority range for a virtual router is from 1 to 254 (1 is the lowest priority and 254 is the highest). The default priority value for backups is 100. For switches whose interface IP address is the same as the primary virtual IP address (the master), the default value is 255.
If you configure VRRP on a vPC-enabled interface, you can optionally configure the upper and lower threshold values to control when to fail over to the vPC trunk If the backup router priority falls below the lower threshold, VRRP sends all backup router traffic across the vPC trunk to forward through the master VRRP router. VRRP maintains this scenario until the backup VRRP router priority increases above the upper threshold.
Ensure that you have enabled the VRRP feature (see the “Configuring VRRP” section).
Ensure that you have configured an IP address on the interface (see the “Configuring IPv4 Addressing” section.
2. interface interface-type slot/port
6. priority level [ forwarding-threshold lower lower-value upper upper-value ]
You can configure simple text authentication for a VRRP group.
Ensure that the authentication configuration is identical for all VRRP switches in the network.
Ensure that you have enabled the VRRP feature (see the “Configuring VRRP” section).
Ensure that you have configured an IP address on the interface (see the “Configuring IPv4 Addressing” section.
2. interface interface-type slot/port
You can configure the time intervals for advertisement packets.
Ensure that you have enabled the VRRP feature (see the “Configuring VRRP” section).
Ensure that you have configured an IP address on the interface (see the “Configuring IPv4 Addressing” section.
2. interface interface-type slot/port
You can disable preemption for a VRRP group member. If you disable preemption, a higher-priority backup router will not take over for a lower-priority master router. Preemption is enabled by default.
Ensure that you have enabled the VRRP feature (see the “Configuring VRRP” section).
Ensure that you have configured an IP address on the interface (see the “Configuring IPv4 Addressing” section.
Interface state tracking changes the priority of the virtual router based on the state of another interface in the switch. When the tracked interface goes down or the IP address is removed, Cisco NX-OS assigns the tracking priority value to the virtual router. When the tracked interface comes up and an IP address is configured on this interface, Cisco NX-OS restores the configured priority to the virtual router (see the “Configuring VRRP Priority” section).
Note For interface state tracking to function, you must enable preemption on the interface.
Note VRRP does not support Layer 2 interface tracking.
Ensure that you have enabled the VRRP feature (see the “Configuring VRRP” section).
Ensure that you have configured an IP address on the interface (see the “Configuring IPv4 Addressing” section.
Ensure that you have enabled the virtual router (see the “Configuring VRRP Groups” section).
2. interface interface-type slot/port
To display the VRRP configuration information, perform one of the following tasks:
|
|
---|---|
show vrrp vr number interface interface-type port configuration |
|
To display VRRP statistics, use the following commands:
|
|
---|---|
show vrrp vr number interface interface-type port statistics |
|
Use the clear vrrp vr command to clear the IPv4 VRRP statistics for a specified interface.
In this example, Router A and Router B each belong to three VRRP groups. In the configuration, each group has the following properties:
– Virtual IP address is 10.1.0.10.
– Router A will become the master for this group with priority 120.
– Advertising interval is 3 seconds.
– Router B will become the master for this group with priority 200.
– Advertising interval is 30 seconds.
– Router A will become the master for this group first because it has a higher IP address (10.1.0.2).
– Advertising interval is the default 1 second.
For additional information related to implementing VRRP, see the following sections:
|
|
---|---|
Cisco Nexus 5000 Series Command Reference, Cisco NX-OS Releases 4.x, 5.x |