VRRP (Virtual Router Redundancy Protocol)

VRRP (Virtual Router Redundancy Protocol) is very similar to HSRP (Hot Standby Routing Protocol) and can be used to create a virtual gateway. If you don’t know why we use virtual gateways then I suggest reading my Introduction to virtual gateways lesson. Also, make sure you check the HSRP lesson first since many of the things I described there also apply to VRRP.

VRRP is very similar to HSRP; if you understand HSRP, you’ll have no trouble with VRRP, which is a standard protocol defined by the IETF in RFC 3768. Configuration-wise it’s pretty much the same, but there are a couple of differences.

Let’s start with an overview:

	HSRP	VRRP
Protocol	Cisco proprietary	IETF – RFC 3768
Number of groups	16 groups maximum	255 groups maximum
Active/Standby	1 active, 1 standby, and multiple candidates.	1 active and several backups.
Virtual IP Address	Different from real IP addresses on interfaces	It can be the same as the real IP address on an interface.
Multicast address	224.0.0.2	224.0.0.18
Tracking	Interfaces or Objects	Objects
Timers	Hello timer 3 seconds, hold time 10 seconds.	Hello timer 1 second, hold time 3 seconds.
Authentication	Supported	Not supported in RFC 3768

As you can see, there are some differences between HSRP and VRRP. Nothing too fancy, however. HSRP is a cisco proprietary protocol, so you can only use it between Cisco devices.

Let’s see if we can configure it…

Configuration

This is the topology that I will use:

SW1 and SW2 are multilayer switches, and their interfaces are configured as routed ports. We will create a virtual gateway using VRRP on the interfaces facing SW3:

SW1(config)#interface fa0/17
SW1(config-if)#vrrp 1 ip 192.168.1.3
SW1(config-if)#vrrp 1 priority 150
SW1(config-if)#vrrp 1 authentication md5 key-string mykey

SW2(config-if)#interface fa0/19
SW2(config-if)#vrrp 1 ip 192.168.1.3
SW2(config-if)#vrrp 1 authentication md5 key-string mykey

Here’s an example of how to configure VRRP. You can see the commands are pretty much the same, but I didn’t type standby but vrrp. I have changed the priority on SW1 to 150, and I’ve enabled MD5 authentication on both switches.

SW1#
%VRRP-6-STATECHANGE: Fa0/17 Grp 1 state Init -> Backup
%VRRP-6-STATECHANGE: Fa0/17 Grp 1 state Backup -> Master

SW2#
%VRRP-6-STATECHANGE: Fa0/19 Grp 1 state Init -> Backup 
%VRRP-6-STATECHANGE: Fa0/19 Grp 1 state Backup -> Master 
%VRRP-6-STATECHANGE: Fa0/19 Grp 1 state Master -> Backup

You will see these messages pop up in your console. VRRP uses different terminology than HSRP. SW1 has the best priority and will become the master router. SW2 will become a backup router. Let’s see what else we have:

SW1#show vrrp 
FastEthernet0/17 - Group 1  
  State is Master  
  Virtual IP address is 192.168.1.3
    Secondary Virtual IP address is 192.168.1.4
  Virtual MAC address is 0000.5e00.0101
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 150 
  Authentication MD5, key-string "mykey"
  Master Router is 192.168.1.1 (local), priority is 150 
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.414 sec

SW2#show vrrp 
FastEthernet0/19 - Group 1  
  State is Backup  
  Virtual IP address is 192.168.1.3
  Virtual MAC address is 0000.5e00.0101
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100 
  Authentication MD5, key-string "mykey"
  Master Router is 192.168.1.1, priority is 150 
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec (expires in 3.065 sec)

Use show vrrp to verify your configuration. The output looks similar to HSRP; one of the differences is that VRRP uses another virtual MAC address: