The active router is called the master router, whereas all others are in the backup state.
The master router is the one with the highest router priority in the VRRP group.
VRRP group numbers range from 0 to 255; router priorities range from 1 to 254. (254 is the highest, 100 is the default.)
The virtual router MAC address is of the form 0000.5e00.01xx, where xx is a two-digit hex VRRP group number.
VRRP advertisements are sent at 1-second intervals.
By default, all VRRP routers are configured to preempt the current master router if their priorities are greater.
Note: VRRP has no mechanism for tracking interfaces to allow more capable routers to take over the master role.
Note: VRRP sends its advertisements to the multicast destination address 224.0.0.18 (VRRP).
In our topology, let's consider switches AS1, AS2, DS1 and DS2. The distribution switches will have VRRP configured.
All unused interfaces on AS1, AS2, DS1, DS2 should be shutdown.
All unused switches should be shutdown.
This is a simplified image of the topology we are going to use for this lab:
PC1 and PC2 (which are routers) will have IP addresses configured and point to the VRRP group addresses as default gateways.
PC1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.10 YES manual up up
PC1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
PC2#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.2.10 YES manual up up
PC2(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.1
We should first configure the L2 (trunk) links between access and distribution switches.
The DS1-DS2 will be a L3 link.
AS1:
!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/3
!
interface FastEthernet1/4
switchport mode trunk
!
AS2:
!
interface FastEthernet1/3
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!
DS1:
!
interface FastEthernet1/2
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!
interface FastEthernet1/1
no switchport
ip address 192.168.0.1 255.255.255.0
!
DS2:
!
interface FastEthernet1/3
switchport mode trunk
!
interface FastEthernet1/4
switchport mode trunk
!
interface FastEthernet1/1
no switchport
ip address 192.168.0.2 255.255.255.0
!
Let's create the VLANs on each access switch and assign the PC ports to the VLANs:
AS1#vlan database
AS1(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
AS1(vlan)#exit
APPLY completed.
Exiting...
AS1(config)#interface fastEthernet 1/15
AS1(config-if)#switchport mode access
AS1(config-if)#switchport access vlan 10
AS2#vlan database
AS2(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
AS2(vlan)#exit
APPLY completed.
Exiting....
AS2(config)#interface fastEthernet 1/15
AS2(config-if)#switchport mode access
AS2(config-if)#switchport access vlan 20
Let's create the same VLANs on the distribution switches:
DS1#vlan database
DS1(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
DS1(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
DS1(vlan)#exit
APPLY completed.
Exiting....
DS2#vlan database
DS2(vlan)#vlan 10
VLAN 10 added:
Name: VLAN0010
DS2(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
DS2(vlan)#exit
APPLY completed.
Exiting....
Note: VRRP can use the physical IP Address as Virtual IP, if needed, saving IP space.
Configuring VRRP on DS1 (will be Master for VLAN 10 and Backup for VLAN 20):
DS1(config)#interface vlan 10
DS1(config-if)#ip address 192.168.1.100 255.255.255.0
DS1(config-if)#vrrp 1 priority 150
DS1(config-if)#vrrp 1 ip 192.168.1.1
DS1(config-if)#vrrp 1 authentication md5 key-string CCnp
DS1(config)#interface vlan 20
DS1(config-if)#ip address 192.168.2.100 255.255.255.0
DS1(config-if)#no vrrp 2 preempt
DS1(config-if)#vrrp 2 priority 100
DS1(config-if)#vrrp 2 ip 192.168.2.1
DS1(config-if)#vrrp 2 authentication md5 key-string CCnp
Configuring VRRP on DS2 (will be Master for VLAN 20 and Backup for VLAN 10):
DS2(config)#interface vlan 10
DS2(config-if)#ip address 192.168.1.101 255.255.255.0
DS2(config-if)#no vrrp 1 preempt
DS2(config-if)#vrrp 1 priority 100
DS2(config-if)#vrrp 1 ip 192.168.1.1
DS2(config-if)#vrrp 1 authentication md5 key-string CCnp
DS2(config)#interface vlan 20
DS2(config-if)#ip address 192.168.2.101 255.255.255.0
DS2(config-if)#vrrp 2 priority 150
DS2(config-if)#vrrp 2 ip 192.168.2.1
DS2(config-if)#vrrp 2 authentication md5 key-string CCnp
Verifying VRRP - we can confirm our configurations with the following commands:
DS1#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl10 1 150 3414 Y Master 192.168.1.100 192.168.1.1
Vl20 2 100 3609 Backup 192.168.2.101 192.168.2.1
DS2#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl10 1 100 3609 Backup 192.168.1.100 192.168.1.1
Vl20 2 150 3414 Y Master 192.168.2.101 192.168.2.1
DS1#show vrrp all
Vlan10 - Group 1
State is Master
Virtual IP address is 192.168.1.1
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 150
Authentication MD5, key-string "CCnp"
Master Router is 192.168.1.100 (local), priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.414 sec
Vlan20 - Group 2
State is Backup
Virtual IP address is 192.168.2.1
Virtual MAC address is 0000.5e00.0102
Advertisement interval is 1.000 sec
Preemption disabled
Priority is 100
Authentication MD5, key-string "CCnp"
Master Router is 192.168.2.101, priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 3.001 sec)
DS2#show vrrp all
Vlan10 - Group 1
State is Backup
Virtual IP address is 192.168.1.1
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption disabled
Priority is 100
Authentication MD5, key-string "CCnp"
Master Router is 192.168.1.100, priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 2.741 sec)
Vlan20 - Group 2
State is Master
Virtual IP address is 192.168.2.1
Virtual MAC address is 0000.5e00.0102
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 150
Authentication MD5, key-string "CCnp"
Master Router is 192.168.2.101 (local), priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.414 sec
As configured, DS1 will be Master for Group 1 and Backup for Group 2. DS2 will have reversed roles.
The virtual IPs are the ones PC1 and PC2 point to as default gateways.
Now, when the PCs are trying to reach an unknown destination, they will ask their configured default gateways to help them reach their targets.
Reminder: The host recognizes that all packets destined off-net must be sent to the gateway’s MAC address rather than the far end’s MAC address.
Therefore, the host first sends an ARP request to find the gateway’s MAC address. Then packets can be relayed to the gateway directly without having to look for ARP entries for individual destinations.
The virtual gateways respond to the host's ARP request with their virtual MAC (VMAC), as expected:
PC1#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
*Mar 1 01:37:12.547: IP ARP: creating incomplete entry for IP address: 192.168.1.1 interface FastEthernet0/0
*Mar 1 01:37:12.551: IP ARP: sent req src 192.168.1.10 cc04.13b4.0000,
dst 192.168.1.1 0000.0000.0000 FastEthernet0/0
*Mar 1 01:37:12.603: IP ARP: rcvd rep src 192.168.1.1 0000.5e00.0101, dst 192.168.1.10 FastEthernet0/0.....
Success rate is 0 percent (0/5)
PC2#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
*Mar 1 00:01:01.003: IP ARP: creating incomplete entry for IP address: 192.168.2.1 interface FastEthernet0/0
*Mar 1 00:01:01.007: IP ARP: sent req src 192.168.2.10 cc09.0848.0000,
dst 192.168.2.1 0000.0000.0000 FastEthernet0/0
*Mar 1 00:01:01.055: IP ARP: rcvd rep src 192.168.2.1 0000.5e00.0102, dst 192.168.2.10 FastEthernet0/0.....
Success rate is 0 percent (0/5)
Now, let's say that we want VRRP to track an interface and if that interface gets shutdown for any reason to delegate the other VRRP router as Master for a particular group.
For this, we will create a loopback interface on DS1, which is the Master router for VRRP Group 1.
DS1 is Master because it has a VRRP priority of 150 for Group 1, compared to the default of 100 configured on DS2 for that same group.
So, in order to appoint DS2 as Master when the interface fails, we should make DS1 to lower its priority with at least the difference between them, which is 50.
DS1(config)#interface loopback 1000
DS1(config-if)#
*Mar 1 01:48:14.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1000, changed state to up
DS1 is still Master for Group 1:
DS1#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl10 1 150 3414 Y Master 192.168.1.100 192.168.1.1
Vl20 2 100 3609 Backup 192.168.2.101 192.168.2.1
DS2#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl10 1 100 3609 Backup 192.168.1.100 192.168.1.1
Vl20 2 150 3414 Y Master 192.168.2.101 192.168.2.1
DS1(config)#track 500 interface loopback 1000 line-protocol
DS1(config)#interface vlan 10
DS1(config-if)#vrrp 1 track 500 decrement 51
Now, if the interface fails, DS1's new priority for Group 1 will be 150-51=99 and it will become standby for that group as well.
DS1(config)#interface loopback 1000
DS1(config-if)#shutdown
DS1(config-if)#
*Mar 1 01:52:38.123: %TRACKING-5-STATE: 500 interface Lo1000 line-protocol Up->Down
DS1(config-if)#
*Mar 1 01:52:40.123: %LINK-5-CHANGED: Interface Loopback1000, changed state to administratively down
*Mar 1 01:52:41.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1000, changed state to down
DS1#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl10 1 99 3414 Y Master 192.168.1.100 192.168.1.1
Vl20 2 100 3609 Backup 192.168.2.101 192.168.2.1
DS1's priority was indeed decreased from 150 to 99, but it is still the Master router for Group 1.
This is because we configured DS2 with the "DS2(config-if)#no vrrp 1 preempt" command for this group.
Let's configure preemption on DS2:
DS2(config)#interface vlan 10
DS2(config-if)#vrrp 1 preempt
*Mar 1 01:57:41.511: %VRRP-6-STATECHANGE: Vl10 Grp 1 state Backup -> Master
Now DS1 is Backup for both groups:
DS1#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl10 1 99 3414 Y Backup 192.168.1.101 192.168.1.1
Vl20 2 100 3609 Backup 192.168.2.101 192.168.2.1
DS2#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl10 1 100 3609 Y Master 192.168.1.101 192.168.1.1
Vl20 2 150 3414 Y Master 192.168.2.101 192.168.2.1
If the interface comes back UP, DS1 automatically becomes Master for Group 1, since it already has preemption enabled for this group.
DS1(config)#interface loopback 1000
DS1(config-if)#no shutdown
DS1(config-if)#
*Mar 1 01:59:35.967: %TRACKING-5-STATE: 500 interface Lo1000 line-protocol Down->Up
DS1(config-if)#
*Mar 1 01:59:37.963: %LINK-3-UPDOWN: Interface Loopback1000, changed state to up
DS1(config-if)#
*Mar 1 01:59:38.791: %VRRP-6-STATECHANGE: Vl10 Grp 1 state Backup -> Master
DS1(config-if)#
*Mar 1 01:59:38.963: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1000, changed state to up
DS1#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl10 1 150 3414 Y Master 192.168.1.100 192.168.1.1
Vl20 2 100 3609 Backup 192.168.2.101 192.168.2.1
DS2#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Vl10 1 100 3609 Y Backup 192.168.1.100 192.168.1.1
Vl20 2 150 3414 Y Master 192.168.2.101 192.168.2.1
Note: VRRP is an open standard protocol, unlike HSRP which is Cisco proprietary.
Note: If when modifying the vlan database you encounter the following error you can erase the flash to resolve this issue:
% not enough space on flash to store vlan database. trying squeeze...First create squeeze log by erasing the entire device
% error squeezing flash - (Missing or corrupted log)
Error on database apply 40: NV storage failure
Use 'abort' command to exit
AS1(vlan)#abort
Aborting....
AS1#erase flash:
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Note: Although we reload the switches whenever we want new default configs, the VLAN and VTP information is still present.
The reason is that this VLAN and VTP information is actually kept in the VLAN.DAT file in Flash memory, and the contents of Flash are kept on a reload. The file has to be deleted manually.
More info at: http://www.mcmcse.com/cisco/guides/vlandat.shtml
No comments:
Post a Comment