Virtual Router Redundany Protocol (VRRP)

Why we need Gateway Redundancy?

LAN users are configured with Default-Gateway IP address, which is the IP of their Local router, which acts as a Proxy, and helps them communicate with remote/distant users. LAN users resolve the MAC address of Gateway router using the Proxy ARP method.

If the gateway router fails, the LAN users would be affected. This means that Specifying a default gateway for LAN Users leads to a single point of failure.

Instead of making the LAN users responsible for choosing a new gateway, router redundancy protocols enable two or more routers to support a shared MAC address. If the primary router fails, the backup router assumes control of traffic forwarded to that MAC.

Below are the protocols that provide Gateway redundancy to users:
  • VRRP (Hot vrrp Redundancy Protocol)
  • VRRP (Virtual Router Redundancy Protocol)
  • GLBP (Gateway Load Balancing Protocol)
Let us discuss how VRRP works?
  • VRRP is similar to HSRP but is an Open Standard protocol (RFC 2338) developed to provide redundancy to LAN Users.
  • Using VRRP, the gateway routers or Multilayer switches(Supported on Cisco 4500 and 6500 only) are configured to behave as a single virtual gateway to the LAN users.
  • VRRP works on top of IP (protocol No. 112) i.e. at the Transport layer.
  • VRRP gateways/Routers/Multilayer Switches communicate among themselves using  Multicast IP 224.0.0.18 (Reserved for VRRP).
  • VRRP provides one redundant gateway address from a group of gateway routers. The active router is called the Master router, while all others are in the Backup state. The Master router is the one with the highest router priority in the VRRP group. There is no 3rd state in VRRP besides Master and Backup. All other routers besides Master in a will remain in Backup state.
  • VRRP group numbers range from 0 to 255. Router priorities range from 1 to 254 (254 is the highest; 100 is the default).
  • The Virtual MAC address in VRRP is like 0000.5e00.01xx, where xx is group number in Hex.
  • VRRP Hello/Advertisement interval is 1sec(default)
  • Backup routers can optionally learn the advertisement interval from the master router.
  • Hold down interval is 3 x Advertisement (or Hello) interval plus Skew time. Formula to calculate Skew time is (256–priority) / 256. 
  • Preemption is enabled by default in VRRP. The router with the highest priority preempts to become master.
  • There is no mechanism for tracking interfaces in VRRP to allow more capable routers to take over the Master role.
  • But, VRRP can track IP SLA object groups.  
Sample Lab and Commands:

R1 is Master (Priority 120),  R2 and R3 are Backup routers (Priority 110 and 100 respectively).

VRRP Tracking using IP SLA

Below is the configuration from Gateway Router R1. Interface F0/1 is tracked using an IP SLA and Track commands.

Router(config-ip-sla)#ip sla 1
Router(config-ip-sla)#icmp-echo 10.10.17.7 source-ip 10.10.17.1
Router(config-ip-sla)#frequency 5
Router(config)#ip sla schedule 1 life forever start-time now

Router(Config)#track 10 rtr 1 reachability

Router(Config-if)# vrrp 20 track 10 decrement 30

Router R1 logs of role change as Track 10 goes down and back to up

*Mar  1 00:31:00.891: %TRACKING-5-STATE: 10 rtr 1 reachability Up->Down
*Mar  1 00:31:21.683: %VRRP-6-STATECHANGE: Fa0/0 Grp 20 state Master -> Backup
*Mar  1 00:33:45.891: %TRACKING-5-STATE: 10 rtr 1 reachability Down->Up
*Mar  1 00:34:06.655: %VRRP-6-STATECHANGE: Fa0/0 Grp 20 state Backup -> Master

R1#show track 10
Track 10
  Response Time Reporter 1 reachability
  Reachability is Up
    5 changes, last change 00:02:09
  Latest operation return code: OK
  Latest RTT (millisecs) 104
  Tracked by:
    VRRP FastEthernet0/0 20


Outputs for VRRP related Commands:

R1#sh run int f0/0
interface FastEthernet0/0
 ip address 10.10.123.11 255.255.255.0
 vrrp 20 ip 10.10.123.1                          >>> Group number 20, Virtual IP 10.10.123.1
 vrrp 20 preempt delay minimum 20     >>> Delays preemption by minimum 20 seconds
 vrrp 20 priority 120                              >>> Router with Highest Priority becomes "Master"
 vrrp 20 authentication password          >>> Only authorized routers involve in VRRP election
 vrrp 20 track 10 decrement 30             >>> VRRP Tracking using IP SLA. Config shown below.
end


R1#sh vrrp
FastEthernet0/0 - Group 20
   State is Master
  Virtual IP address is 10.10.123.1
  Virtual MAC address is 0000.5e00.0114
  Advertisement interval is 1.000 sec
  Preemption enabled, delay min 20 secs
  Priority is 120
    Track object 10 state Up decrement 30
  Authentication text "password"
  Master Router is 10.10.123.11 (local), priority is 120
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.531 sec


R2#sh vrrp
FastEthernet0/0 - Group 20
  State is Backup
  Virtual IP address is 10.10.123.1
  Virtual MAC address is 0000.5e00.0114
  Advertisement interval is 1.000 sec
  Preemption enabled, delay min 20 secs
  Priority is 110
 
Authentication text "password"
  Master Router is 10.10.123.11, priority is 120

  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.570 sec (expires in 3.498 sec)

R3#sh vrrp
FastEthernet0/0 - Group 20
  State is Backup
  Virtual IP address is 10.10.123.1
  Virtual MAC address is 0000.5e00.0114
  Advertisement interval is 1.000 sec
  Preemption enabled, delay min 20 secs
  Priority is 100
  Authentication text "password"
  Master Router is 10.10.123.11, priority is 120
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec (expires in 2.957 sec)

R1#sh vrrp brief
Interface          Grp  Pri  Time   Own  Pre State   Master addr     Group addr
Fa0/0              20    120  3531       Y      Master  10.10.123.11    10.10.123.1


Output from Host4. See the VRRP MAC address learned for the Virtual IP 10.10.123.1.

Host4#sh arp
Protocol  Address          Age (min)   Hardware Addr   Type   Interface
Internet  10.10.123.1             0         0000.5e00.0114  ARPA   FastEthernet0/0
Internet  10.10.123.4             -          ca04.16b0.0000  ARPA   FastEthernet0/0


Output from Switch:

Switch#sh mac  vlan 1  | i 0000.5e00.0114                     >> VRRP Virtual MAC
0000.5e00.0114     Dynamic   1    FastEthernet1/2      >> Only R1 (Master) replies to ARP Queries.


Few More Commands:

Command to change the timers on the Master as it is the router that advertises hellos:

Router(config-if)# vrrp 20 timers advertise 5

Command to change the timers on the Backup routers because they hear the hellos from the Master:

Router(config-if)# vrrp 20 timers learn