1. Cấu hình VRRP

VRRP (Virtual Router Redundancy
Protocol)
VRRP (Virtual Router Redundancy Protocol) is very similar to HSRP (Hot Standby
Routing Protocol) and can be used to create a virtual gateway. If you don’t know why we

use virtual gateways then I suggest to read my Introduction to virtual gateways first. Also
make sure you check the HSRP lesson first since many of the things I describe there
also apply to VRRP.
VRRP is very similar to HSRP; if you understood HSRP you’ll have no trouble with
VRRP which is a standard protocol defined by the IETF in RFC 3768. Configurationwise it’s pretty much the same but there are a couple of differences.
Let’s start with an overview:

HSRP
Protocol

Cisco proprietary

Number of groups

16 groups maximum

Active/Standby

1 active, 1 standby and multiple candidates.

Virtual IP Address

Different from real IP addresses on interfaces

Multicast address

224.0.0.2

Tracking

Interfaces or Objects

Timers

Hello timer 3 seconds, hold time 10 seconds.

Authentication

Supported


As you can see there are a number of differences between HSRP and VRRP. Nothing
too fancy however. HSRP is a cisco proprietary protocol so you can only use it between
Cisco devices.
Let’s see if we can configure it…

Configuration
This is the topology that I will use:


SwitchA and SwitchB are multilayer switches and their interfaces are configured as
routed ports. We will create a virtual gateway using VRRP on the interfaces facing
SwitchC:
SwitchA(config)#interface fa0/17

SwitchA(config-if)#vrrp 1 ip 192.168.1.3
SwitchA(config-if)#vrrp 1 priority 150
SwitchA(config-if)#vrrp 1 authentication md5 key-string mykey
SwitchB(config-if)#interface fa0/19


SwitchB(config-if)#vrrp 1 ip 192.168.1.3
SwitchB(config-if)#vrrp 1 authentication md5 key-string mykey

Here’s an example how to configure VRRP. You can see the commands are pretty
much the same but I didn’t type “standby” but vrrp. I have changed the priority on
SwitchA to 150 and I’ve enabled MD5 authentication on both switches.
SwitchA#
%VRRP-6-STATECHANGE:
%VRRP-6-STATECHANGE:
SwitchB#
%VRRP-6-STATECHANGE:
%VRRP-6-STATECHANGE:
%VRRP-6-STATECHANGE:

Fa0/17 Grp 1 state Init -> Backup
Fa0/17 Grp 1 state Backup -> Master
Fa0/19 Grp 1 state Init -> Backup
Fa0/19 Grp 1 state Backup -> Master
Fa0/19 Grp 1 state Master -> Backup

You will see these messages pop-up in your console. VRRP uses different terminology
than HSRP. SwitchA has the best priority and will become the master router. SwitchB
will become a standby router. Let’s see what else we have:
SwitchA#show vrrp

FastEthernet0/17 - Group 1
State is Master
Virtual IP address is 192.168.1.3
Secondary Virtual IP address is 192.168.1.4
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 150
Authentication MD5, key-string "mykey"
Master Router is 192.168.1.1 (local), priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.414 sec
SwitchB#show vrrp
FastEthernet0/19 - Group 1
State is Backup
Virtual IP address is 192.168.1.3
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Authentication MD5, key-string "mykey"
Master Router is 192.168.1.1, priority is 150
Master Advertisement interval is 1.000 sec


Master Down interval is 3.609 sec (expires in 3.065 sec)

Use show vrrp to verify your configuration. The output looks similar to HSRP; one of the
differences is that VRRP uses another virtual MAC address:
0000.5e00.01XX (where X = group number)

SwitchA(config)#interface fa0/17
SwitchA(config-if)#shutdown

We can shut the interface on SwitchA so we can see that SwitchB will take over.
SwitchA#
%VRRP-6-STATECHANGE: Fa0/17 Grp 1 state Master -> Init
SwitchB#
%VRRP-6-STATECHANGE: Fa0/19 Grp 1 state Backup -> Master

Same principle…different terminology!
It is possible to configure load balancing for VRRP (or HSRP) but it doesn't work on a
"per packet" schedule or something. Instead, we have to use multiple group numbers.
Let me show what I'm talking about:
SwitchA(config)#interface fa0/17
SwitchA(config-if)#vrrp 1 ip 192.168.1.3
SwitchA(config-if)#vrrp 1 priority 150
SwitchA(config-if)#vrrp 2 ip 192.168.1.4
SwitchB(config-if)#interface fa0/19
SwitchB(config-if)#vrrp 1 ip 192.168.1.3
SwitchB(config-if)#vrrp 2 ip 192.168.1.4
SwitchB(config-if)#vrrp 2 priority 150

I created two groups so we have two virtual IP addresses:
• 192.168.1.3 and 192.168.1.4 are both virtual IP addresses we can use as a gateway.
• SwitchA has the highest priority (150) for virtual IP address 192.168.1.3.
• SwitchB has the highest priority (150) for virtual IP address 192.168.1.4.


You can now use 192.168.1.3 and 192.168.1.4 as default gateways for your computers
and SwitchA and SwitchB will share the load. You can use this like I did to have load

balancing within a VLAN or you can do this on a per VLAN basis.


2.

TROUBLESHOOT VRRP CISCO

In a previous lesson I demonstrated how to troubleshoot a HSRP issue. This time we’ll
troubleshoot VRRP. These two protocols have many similarities, if you can troubleshoot
one then the other shouldn’t be a problem.
Let’s take a look, I will use the following topology:


The router on the left is our “client” device, R2 and R3 are configured for VRRP. The goal is
to reach 4.4.4.4 from the client. Unfortunately, this is not working:
Client#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
U.!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 8/13/20
ms
Some of the IP packets are not arriving at 4.4.4.4. Let’s check what default gateway our
client is using:
Client#show ip route
Default gateway is 192.168.123.254
Host
Gateway
Interface
ICMP redirect cache is empty


Last Use

Total Uses

IP routing has been disabled and the client is using gateway IP address 192.168.123.254.
Let’s check if we can reach this address:
Client#ping 192.168.123.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.123.254, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/20
ms
Pinging the gateway address is no problem. Are our two VRRP routers able to reach 4.4.4.4
? Let’s try that:
R2#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
.....


Success rate is 0 percent (0/5)
R3#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/20
ms
R2 is unable to reach 4.4.4.4 but R3 has no issues. Before we continue checking why R2 is
unable to reach 4.4.4.4 we’ll take a look at the VRRP configuration to see which router is

the master:
R2#show vrrp
FastEthernet0/0 - Group 1
State is Master
Virtual IP address is 192.168.123.254
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Authentication MD5, key-string "WRONGPASS"
Master Router is 192.168.123.2 (local), priority is 100
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec
R3#show vrrp
FastEthernet0/0 - Group 1
State is Master
Virtual IP address is 192.168.123.254
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Authentication MD5, key-string "SECRET"
Master Router is 192.168.123.3 (local), priority is 100
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec
The output of show vrrp is interesting. Both routers think they are active and if you look
closely you can see why. Authentication has been enabled and there is a mismatch in the
key-string. Since both routers are active half of the packets will end up at R2 and the rest at
R3. This is why our client sees some packets arriving and others not. Let’s fix our
authentication:



R2(config)#interface FastEthernet 0/0
R2(config-if)#vrrp 1 authentication md5 key-string SECRET
We’ll make sure the key-string is the same. Now you’ll see something on the console:
R2# %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Master -> Backup
This message on the console of R2 is promising. R3 has become the master:
R2#show vrrp | include Master
Master Router is 192.168.123.3, priority is 100
R3#show vrrp | include Master
State is Master
Master Router is 192.168.123.3 (local), priority is 100
R3 has been elected as the master router. Now let’s find out why R2 was unable to reach
4.4.4.4:
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type
2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 -IS-IS
level-2
ia - IS-IS inter area, * - candidate default, U -per-user
static
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C

192.168.123.0/24 is directly connected, FastEthernet0/0


Hmm R2 only shows a single entry in the routing table, something is wrong with
FastEthernet 1/0. Let's check the interface:
R2#show ip interface brief
Interface
IP-Address
Protocol

OK? Method Status


FastEthernet0/0
up
FastEthernet1/0
down down

192.168.123.2

YES NVRAM

up

192.168.24.2

YES NVRAM

administratively

The interface has been shut. Keep in mind this could be anything else…access-lists
blocking traffic between R2 and R4, port-security (if there was a switch in the middle),

interfaces in err-disabled mode, wrong IP addresses and more. Check everything! Let's
enable this interface:
R2(config)#interface fastEthernet 1/0
R2(config-if)#no shutdown
Now R2 should be able to reach 4.4.4.4. Just in case, let's try another ping from the client:
Client#ping 4.4.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/9/16
ms
Problem solved!

Lesson learned: Make sure the VRRP routers are able to reach each other.