Introduction to the Cisco Virtual Router Redundancy Protocol (VRRP)
Often one of the least redundant parts of a network is the first hop between a host and the rest of the network. This is because they are typically configured with a default gateway IP address that links to a single device. Should this device fail, then all of the users on a specific segment who are using it as their default gateway will be unable to reach any other subnet including the Internet.
There are a number of different solutions to this problem; most of these are all grouped together and referred to as First Hop Redundancy Protocols (FHRP). This article looks at the Virtual Router Redundancy Protocol (VRRP), which is a standards-based version of Cisco’s Hot Standby Redundancy Protocol (HSRP). This article specifically looks at VRRP, how it operates, along with the main concepts that should be known before attempting to configure it. Another VRRP configuration article follows with the details of how to configure VRRP.
How Does VRRP Work?
The basic concepts behind both HSRP and VRRP are very similar, and are intended to deal with a basic redundancy problem that exists on many local area networks (LAN) that are used everyday—that is, the single point of failure that is inherent when using a single default gateway for hosts on the network. In many common networks, the hosts that exist on the LAN are configured with a default gateway to access devices that are not located on the local network (in a different subnet); this gateway that is used is another name that is used to refer to a router. This router has a list of its known networks, and is further configured with a routing table that enables it to handle traffic to and from multiple sources and destinations. However, if this router were to go down or be taken offline, then all of those devices that use it as their default gateway will be unable to access outside networks.
FHRPs deal with this problem by offering redundancy solutions; VRRP and HSRP offer similar solutions with a few major differences. VRRP is a standards-based solution, whereas HSRP is Cisco proprietary and is (for the most part) only supported on Cisco devices. VRRP offers the ability use multiple (more than 2) routers for redundancy; HSRP is limited to a single active (forwards traffic) and standby (waits to forward traffic when the active device goes down). VRRP also differs in some of its default settings, namely that master (active) device preemption is enabled by default.
VRRP communicates with the other configured VRRP routers (within the same group) by sending an advertisement out every second (by default); this advertisement provides these devices with a state of the current master router as well as its priority. VRRP uses the IPv4 multicast address 126.96.36.199 for these advertisements.
VRRP (like HSRP) also supports the ability to configure multiple VRRP virtual router instances on a single physical interface (up to 255); this enables a device to be configured into load sharing configurations.
VRRP Priority and Preemption
When VRRP is configured on a network, the concepts of priority and preemption are important to understand for VRRP to work as expected. By default, the priority of a VRRP router is 100 out of a priority range that goes from 1 through 254; the higher the priority, the higher the chance the device will become the master (forwarding) VRRP device. If there is a tie in the VRRP priority, then the device with the higher IP addresses of the devices will be used as a tiebreak.
Preemption (as it is enabled by default) allows any new device that comes onto a network with other VRRP configured routers to become the master router immediately, should it have a higher priority. Without preemption enabled, this device would need to wait until the master device failed for it to take over as the master.
VRRP offers a number of authentication options as well to ensure that the infrastructure running VRRP is protected from malicious attacks. By default, VRRP is configured with no authentication, and any device configured onto the same VRRP group can affect the behavior of VRRP. There are two further authentication options: plaintext authentication and MD5 authentication (using a MD5 key string or MD5 key chain). The MD5 choice is the only real option on a production network.
VRRP Object Tracking
Like HSRP, VRRP supports the ability to alter device priority, depending on the state of a currently configured track object. At its most basic, this object can track the line protocol state or IP configuration state of an interface and go up or down depending on these states (specific states can be tracked using Cisco’s IP SLA feature). Once configured, the VRRP group process will continue to pool the track object for its status. If it is down, it can be configured to alter the priority of a specific VRRP device, which can affect the current device that is being selected as the master router.
If the reader has come off reading an HSRP article or has some experience with HSRP, it should be obvious that both HSRP and VRRP are very similar and follow the same general rules. There are two big differences that affect the selection of one over the other: whether all of the implemented devices are Cisco, and whether more than two devices are ever going to be configured onto a single LAN segment.
If all of the current (or future) devices are not Cisco, then the selection of VRRP is easy, as (for the most part) HSRP is only widely supported on Cisco equipment, whereas VRRP is a standards-based solution and is supported by many different vendors. The other difference may not be that big of a deal on many networks because most don’t have multiple routers that are connected to a single LAN segment. HSRP supports an active and standby device, which is typically enough to satisfy the requirements of obtaining enough redundancy. However, VRRP does support more than two devices, and this can be helpful in those situations where multiple (more than two) are connected to the same LAN segment.
Ultimately, the use of one of the FHRPs (generally) is a good common practice on LAN segments that require high uptime and where outages can be costly. I hope that this article will help in making the selection of which one to select when the decision needs to be made (or helps those trying to understand the VRRP concepts for testing purposes).