- IETF alternative to HRSP
- Use terms master/backup as opposed to primary and standby
- Concepts are nearly identical
- Vrrp has preemt on by default
- Also lower default timers 1 hello 3 dead
- It uses a virtual mac of 0000.5E00.01xx where xx is the group
- uses vrrp interface command instead of standby
- It has it own dedicated protocol number so not using udp the vrrp protocol number is 112
- Also it has it own dedicated multicast group 224.0.0.18
- it can only object track it does not have the track interface option compared to hrsp but in general track object like ip sla is the better choice as track interface is depending on line protocol
- it supports md5 authentication implented the same with key chain and key string same as hrsp
- it also support plain text authentication
int fa0/1
vrrp 10 ip 155.0.0.10
vrrp 10 authentication md5 key-chain cisco
or
vrrp 10 authentication key-string 'cisco'
vrrp prempt delay 10 - wait 10 seconds before preempting
LAB
As this almost identical to hrsp i will just do a quick lab and then do lab on authentication
this authentication would work on both hrsp or vrrp of glbp
r6(config)#int fa0/0.146
r6(config-subif)#vrrp 10 ip 155.0.146.254
r6(config-subif)#
*Feb 25 12:54:13.795: %VRRP-6-STATECHANGE: Fa0/0.146 Grp 10 state Create -> Disable
*Feb 25 12:54:13.795: VRRP: Grp 10 Event - primary IP configured
*Feb 25 12:54:13.795: %VRRP-6-STATECHANGE: Fa0/0.146 Grp 10 state Disable -> Init
*Feb 25 12:54:13.795: VRRP: vrrp_interface_state: Fa0/0.146 is Up
*Feb 25 12:54:13.795: VRRP: Grp 10 Event - Interface UP
*Feb 25 12:54:13.795: %VRRP-6-STATECHANGE: Fa0/0.146 Grp 10 state Init -> Backup
*Feb 25 12:54:17.407: VRRP: Grp 10 Event - Master down timer expired
*Feb 25 12:54:17.407: %VRRP-6-STATECHANGE: Fa0/0.146 Grp 10 state Backup -> Master
*Feb 25 12:54:17.407: VRRP: tbridge_smf_update failed
*Feb 25 12:54:17.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:17.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:18.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:18.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:19.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:19.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:20.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:20.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:21.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:21.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:22.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:22.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:23.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:23.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:24.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:24.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:25.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:25.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
*Feb 25 12:54:26.407: VRRP: Grp 10 sending Advertisement checksum 4CF4
*Feb 25 12:54:26.407: IP: s=155.0.146.6 (local), d=224.0.0.18 (FastEthernet0/0.146), len 40,
sending broad/multicast, proto=112
ok so we can see that it started in disabled went to init then backup then to master then it
started sending to the multicast group 224.0.0.18 and it has it own protocol 112 it is not
using udp 1985 like hrsp was
r4
---
r4#sh run int fa0/1
Building configuration...
Current configuration : 142 bytes
!
interface FastEthernet0/1
ip address 155.0.146.4 255.255.255.0
ip pim sparse-mode
duplex auto
speed auto
vrrp 10 ip 155.0.146.254
end
r4#
one of the first things noticed is preempt is on by default
r4(config)#int fa0/1
r4(config-if)#vrrp 10 priority 105
r4(config-if)#
*Feb 25 12:44:25.875: %VRRP-6-STATECHANGE: Fa0/1 Grp 10 state Backup -> Master
so i do not need to configure preempt
next i will do a config of enable authentication on r4
on r4 i will enable authentication
r4(config)#int fa0/1
r4(config-if)#vrrp 10 authentication ?
WORD Plain text authentication string
md5 Use MD5 authentication
text Plain text authentication
r4(config-if)#vrrp 10 authentication md5 ?
key-chain Set key chain
key-string Set key string
r4(config-if)#vrrp 10 authentication md5 key-string PASSWORD
r4#sh vrrp
FastEthernet0/1 - Group 10
State is Master
Virtual IP address is 155.0.146.254
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 105
Authentication MD5, key-string "PASSWORD"
Master Router is 155.0.146.4 (local), priority is 105
Master Advertisement interval is 1.000 sec
Master Down interval is 3.589 sec
r4#
if we go to r6
r6#sh vrrp
FastEthernet0/0.146 - Group 10
State is Master
Virtual IP address is 155.0.146.254
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Master Router is 155.0.146.6 (local), priority is 100
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec
r6#
effectively vrrp is not working both routers think they are masters
basically r4 is rejecting r6 vrrp packets
*Feb 25 12:53:11.875: VRRP: Grp 10 sending Advertisement checksum 2B15u
*Feb 25 12:53:12.487: VRRP: Grp 10 Advertisement from 155.0.146.6 has incorrect
authentication type 0 expected 254
*Feb 25 12:53:12.875: VRRP: Grp 10 sending MD5 digest:
as of incorrect authentication so then r6 does not recieve reply from r4 so it believes it is
the only vrrp router on the segment so it goes to the master state
on r6
------
r6(config)#int fa0/0.146
r6(config-subif)#vrrp 10 authentication md5 key-string PASSWORD
r6#sh vrrp
FastEthernet0/0.146 - Group 10
State is Backup
Virtual IP address is 155.0.146.254
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Authentication MD5, key-string "PASSWORD"
Master Router is 155.0.146.4, priority is 105
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 3.349 sec)
has gone to backup and we are back in proper vrrp config
we could also specify a key chain if we wanted to do
r6(config)#do sh run | sec key chain
key chain VRRP-KEY
key 1
key-string PASSWORD
accept-lifetime 00:00:00 Jan 1 1993 infinite
r6(config)#
r6(config)#int fa0/0.146
r6(config-subif)#vrrp 10 authentication md5 key-chain VRRP-KEY
another option for preempt in both hrsp glbp and vrrp
r6(config-subif)#int fa0/0.146
r6(config-subif)#vrrp 10 preempt delay minimum 10
we can configure that when a router finds out it has higher priority we can do a delay of a
few seconds so it does not preempt
steam cleaning in Jeddah*insect control in Riyadh*Landscaping in Riyadh*Landscaping in Riyadh*Pest Control in Riyadh*Transportation of furniture in Medina*Detection of leaks in Riyadh*Detection of leaks in Riyadh*spray in Riyadh*Cleaning of houses in Riyadh
ReplyDelete