VRRP (Virtual Router Redundancy Protocol)

VRRP (Virtual Router Redundancy Protocol) is very similar to HSRP (Hot Standby Routing Protocol) and can be used to create a virtual gateway. If you don’t know why we use virtual gateways then I suggest to read my Introduction to virtual gateways first. Also make sure you check the HSRP lesson first since many of the things I describe there also apply to VRRP.

VRRP is very similar to HSRP; if you understood HSRP you’ll have no trouble with VRRP which is a standard protocol defined by the IETF in RFC 3768. Configuration-wise it’s pretty much the same but there are a couple of differences.

Let’s start with an overview:

  HSRP VRRP
Protocol Cisco proprietary IETF – RFC 3768
Number of groups 16 groups maximum 255 groups maximum
Active/Standby 1 active, 1 standby and multiple candidates. 1 active and several backups.
Virtual IP Address Different from real IP addresses on interfaces Can be the same as the real IP address on an interface.
Multicast address 224.0.0.2 224.0.0.18
Tracking Interfaces or Objects Objects
Timers Hello timer 3 seconds, hold time 10 seconds. Hello timer 1 second, hold time 3 seconds.
Authentication Supported Not supported in RFC 3768

As you can see there are a number of differences between HSRP and VRRP. Nothing too fancy however. HSRP is a cisco proprietary protocol so you can only use it between Cisco devices.

Let’s see if we can configure it…

Configuration

This is the topology that I will use:

virtual gateway example topology

SW1 and SW2 are multilayer switches and their interfaces are configured as routed ports. We will create a virtual gateway using VRRP on the interfaces facing SW3:

SW1(config)#interface fa0/17
SW1(config-if)#vrrp 1 ip 192.168.1.3
SW1(config-if)#vrrp 1 priority 150
SW1(config-if)#vrrp 1 authentication md5 key-string mykey
SW2(config-if)#interface fa0/19
SW2(config-if)#vrrp 1 ip 192.168.1.3
SW2(config-if)#vrrp 1 authentication md5 key-string mykey

Here’s an example how to configure VRRP. You can see the commands are pretty much the same but I didn’t type “standby” but vrrp. I have changed the priority on SW1 to 150 and I’ve enabled MD5 authentication on both switches.

SW1#
%VRRP-6-STATECHANGE: Fa0/17 Grp 1 state Init -> Backup
%VRRP-6-STATECHANGE: Fa0/17 Grp 1 state Backup -> Master
SW2#
%VRRP-6-STATECHANGE: Fa0/19 Grp 1 state Init -> Backup 
%VRRP-6-STATECHANGE: Fa0/19 Grp 1 state Backup -> Master 
%VRRP-6-STATECHANGE: Fa0/19 Grp 1 state Master -> Backup

You will see these messages pop-up in your console. VRRP uses different terminology than HSRP. SW1 has the best priority and will become the master router. SW2 will become a backup router. Let’s see what else we have:

SW1#show vrrp 
FastEthernet0/17 - Group 1  
  State is Master  
  Virtual IP address is 192.168.1.3
    Secondary Virtual IP address is 192.168.1.4
  Virtual MAC address is 0000.5e00.0101
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 150 
  Authentication MD5, key-string "mykey"
  Master Router is 192.168.1.1 (local), priority is 150 
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.414 sec
SW2#show vrrp 
FastEthernet0/19 - Group 1  
  State is Backup  
  Virtual IP address is 192.168.1.3
  Virtual MAC address is 0000.5e00.0101
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100 
  Authentication MD5, key-string "mykey"
  Master Router is 192.168.1.1, priority is 150 
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec (expires in 3.065 sec)

Use show vrrp to verify your configuration. The output looks similar to HSRP; one of the differences is that VRRP uses another virtual MAC address:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

503 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. hi Rene
    at the beginning of the lab, i wasn’t able to issue the following commands

    SwitchA(config)#interface fa0/17
    SwitchA(config-if)#standby 1 ip 192.168.1.3
    

    the thing is SwitchA does not have the option standby under interface, not unless i convert this interface as a layer 3 int with command “no switchport”, then it has the option, but when i try to type the following command

    standby 1 ip 192.168.1.3

    then it give me the error that overlaps with vlan 1, and this is because the layer 3 interface does not belong to any vlan, can you please advice.

    or should i

    ... Continue reading in our forum

  2. Hi Ramon,

    You can only use configure HSRP / VRRP / GLBP on “routed” (L3) interfaces, not on switchports (L2 interfaces).

    You have two options:

    1. Configure the standby commands on the VLAN interface, all switchports that are in the same VLAN will be able to reach the virtual IP address.

    or

    1. Make a switchport a “routed” interface by using “no switchport” and configure the standby commands on this interface. In this case only devices that are connected to this interface will be able to reach the virtual IP address.

    The reason you get the overlapping error is beca

    ... Continue reading in our forum

  3. Hi Srini,

    That’s right, by default HSRP disables ICMP redirects but since IOS 12.1(3)T you can enable it.

    ICMP redirects are used when a host uses a router as its default gateway while there is a better path. For example, let’s say we have a subnet with one host and two routers; R1 and R2.

    R2 has a default route to the Internet, R1 has a default route to R2. When the host uses R1 as its default gateway then R1 will send ICMP redirects to the host to tell it to use R2 instead.

    When you would redirect hosts away from your HSRP routers then there’s no point using

    ... Continue reading in our forum

  4. Rene,
    Hi. Couple questions/validations when you have time.

    1. I know it is best practice to have the HSRP hold timer be at least 3x’s the hello, but I did some lab testing and it appeared to work ok for instance with the hold time 2x’s the hello. Is this expected - is the idea just to have the hold time be large enough to not cause an unnecessary transition and that is what Cisco found to be best practice?
    2. What are the benefits of HSRP v2 over v1 - is it just the increased number of HSRP group numbers supported?
    3. If I have more than two routers that are part of th
    ... Continue reading in our forum

  5. Hello Florian!

    Let’s begin with Cisco’s explanation and we’ll go from there. Cisco says that this command:

    Sets the priority level used to select the active router in an HSRP group. The level range is from 0 to 255. The default is 100. Optionally, sets the upper and lower threshold values used by vPC to determine when to fail over to the vPC trunk. The lower-value range is from 1 to 255. The default is 1. The upper-value range is from 1 to 255. The default is 255.

    (See http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/unicast/configuration/

    ... Continue reading in our forum

77 more replies! Ask a question or join the discussion by visiting our Community Forum