Cisco Virtual Router Redundancy Protocol (VRRP) Configuration

The configuration of a basic Virtual Router Redundancy Protocol (VRRP) implementation is not all that complex, and resembles a lot the configuration of Cisco’s Hot Standby Router Protocol (HSRP) if the reader is more familiar with that protocol. This section first covers the configuration process steps and commands that are used to perform a basic VRRP configuration. An example is then given on how these steps can be used to configure VRRP in a sample networking topology.

VRRP Simple Configuration Steps

Only a few commands are required to get VRRP up and working. Table 1 features these commands and a few other common commands that are used to modify the default behavior of VRRP.

Table 1 - VRRP Configuration Commands

1	Enter privileged EXEC mode.	router>enable
2	Enter global configuration mode.	router#configure terminal
3	Enter interface configuration mode.	router(config)#interface interface
4	Configure an IP address on the interface.	router(config-if)#ip address address netmask
5	Configure a VRRP virtual IP address. Note: This address must be in the same subnet as the interface IP address (primary or secondary).	router(config-if)#vrrp group-number ip ip-address
6	Configure the VRRP priority (optional). Note:  The valid values for the priority are from 1 through 254.	router(config-if)#vrrp group-number prioritypriority
7	Configure VRRP preemption (optional). Note: VRRP preemption is enabled by default.	router(config-if)#vrrp group-number preempt

VRRP Simple Example

Because often it is easier to see the complete application of a subject, this section goes over the configuration of VRRP between two devices in a sample network. Figure 1 displays the topology that will be used; Table 2 and 3 will then display the commands required on both R1 and R2.

Figure 1 VRRP example topology

The configuration will perform the following:

• Configure the IP addresses 10.10.20.1/30 (R1) and 10.10.20.2/30(R2) on their Fa0/1 interfaces.
• Configure the IP addresses 172.16.1.1/24 (R1) and 172.16.2.1 (R2) on their Fa0/0 interfaces.
• Configure VRRP between R1 and R2 using the IP addresses 10.10.10.1/24 (R1) and 10.10.10.2/24(R2) and a virtual IP address of 10.10.10.5 on their Fa1/0 interfaces.
• Configure R1 with a VRRP priority of 140.

Table 2 - R1 Simple Example Configuration

1	Enter privileged EXEC mode.	R1>enable
2	Enter global configuration mode.	R1#configure terminal
3	Enter interface configuration mode.	R1(config)#interface fa0/0
4	Configure an IP address on the interface.	R1(config-if)#ip address 172.16.1.1 255.255.255.0
5	Enter interface configuration mode.	R1(config)#interface fa0/1
6	Configure an IP address on the interface.	R1(config-if)#ip address 10.10.20.1 255.255.255.252
7	Enter interface configuration mode.	R1(config)#interface fa1/0
8	Configure an IP address on the interface.	R1(config-if)#ip address 10.10.10.1 255.255.255.0
9	Configure VRRP using a virtual IP address of 10.10.10.5 using group 1.	R1(config-if)#vrrp 1 ip 10.10.10.5
10	Configure the VRRP priority to 140.	R1(config-if)#vrrp 1 priority 140

Table 3 - R2 Simple Example Configuration

1	Enter privileged EXEC mode.	R2>enable
2	Enter global configuration mode.	R2#configure terminal
3	Enter interface configuration mode.	R2(config)#interface fa0/0
4	Configure an IP address on the interface.	R2(config-if)#ip address 172.16.2.1 255.255.255.0
5	Enter interface configuration mode.	R2(config)#interface fa0/1
6	Configure an IP address on the interface.	R2(config-if)#ip address 10.10.20.2 255.255.255.252
7	Enter interface configuration mode.	R2(config)#interface fa1/0
8	Configure an IP address on the interface.	R2(config-if)#ip address 10.10.10.2 255.255.255.0
9	Configure VRRP using a virtual IP address of 10.10.10.5 using group 1.	R2(config-if)#vrrp 1 ip 10.10.10.5

VRRP Complex Configuration Steps

As with most features, a number of different optional features may or may not be useful depending on the specific implementation situation. This section reviews the additional commands that can be configured to take advantage of these additional features (Table 4), and then covers another example using these features.

Table 4 - VRRP Complex Configuration Commands

1	Configure VRRP Authentication	router(config-if)#vrrp group-numberauthentication {plain-text-string | textplain-text-string | md5 {key-string keystring| key-chain key-chain-name}}
	If a key-chain is configured with the command above, follow these next few steps to create the key-chain.
2	Create and enter into key chain configuration mode.	router(config)#key chain chain-name
3	Create and enter into key chain – key configuration mode. Note: The key-numbercan be any number between 0-2147483647.	router(config-keychain)#key key-number
4	Enter the key string that will be used to authenticate with neighboring devices.	router(config-keychain-key)#key-stringkeystring
1	Configure VRRP Object tracking. Note: The default priority decrement value is 10.	router(config-if)#vrrp group-number trackobject-number [decrement priority]
2	Create a tracked object Notes: The object-numbercan be any number between 1 and 1000. The line-protocolparameter will track the protocol state of the configured interface. Theip routingparameter will track the IP routing capability of an interface (is it configured with an IP address and operational?).	router(config)#track object-number interfaceinterface {line-protocol | ip routing}

VRRP Complex Example

This section covers an example using both VRRP MD5 authentication (using a basic key-string) and VRRP object tracking. For the object tracking configuration, R1 will be configured to monitor the line protocol state of its own fa0/0 interface. If it goes down, then its VRRP priority will be lowered by 50; R2 will be configured the same using its fa0/0 interface. The examples in Tables 5 and 6 build upon the simple VRRP example shown earlier in Table 4.

Table 5 - R1 Complex Example Configuration Addition

1	Enter privileged EXEC mode.	R1>enable
2	Enter global configuration mode.	R1#configure terminal
3	Create a tracked object that will monitor the line protocol status of the fa0/0 interface using an object number of 1.	R1(config)#track 1 interface fa0/0 line-protocol
4	Enter interface configuration mode.	R1(config)#interface fa1/0
5	Configure VRRP to use the tracked object to influence its priority..	R1(config-if)#vrrp 1 track 1 decrement 50
6	Configure the use of an MD5 keystring ofabc123.	R1(config-if)#vrrp 1 authentication md5 key-string abc123

Table 6 - R2 Complex Example Configuration Addition

1	Enter privileged EXEC mode.	R2>enable
2	Enter global configuration mode.	R2#configure terminal
3	Create a tracked object that will monitor the line protocol status of the fa0/0 interface using an object number of 1.	R2(config)#track 1 interface fa0/0 line-protocol
4	Enter interface configuration mode.	R2(config)#interface fa1/0
5	Configure VRRP to use the tracked object to influence its priority.	R2(config-if)#vrrp 1 track 1 decrement 50
6	Configure the use of an MD5 key string ofabc123.	R2(config-if)#vrrp 1 authentication md5 key-string abc123

Summary

One thing that has been rather consistent over the last 20 years is that most LAN segments all include a single gateway that is used by everyone on that segment. While in past, this may not have been that big of a deal, but in modern networks, almost everyone is actively using the network to do normal tasks and often this involves access to parts of the network that are not local to a host’s machine. Because of this, the implementation of FHRPs has become more common in these types of network environments.

Knowledge of these options is an important part of the education of any LAN administrator or engineer, and should be known as part of all Cisco routing and switching certification tracks. I hope that this article enables you to have a better understanding of how the different configuration commands can be put together to obtain an expected, well thought-out solution to this common design issue.