Configuring VRRP

Published by Joe Conklin on

What is VRRP and why to use it?

Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns responsibility for one or more virtual routers to the VRRP routers on a LAN, allowing several routers on a multiaccess link to utilize the same virtual IP address. A VRRP router is configured to run the VRRP protocol in conjunction with one or more other routers attached to a LAN. In a VRRP configuration, one router is elected as the virtual router master, with the other routers acting as backups in case the virtual router master fails.

In regards to using VRRP with dynamic routing protocols, routers do not use the virtual IP addresses of VRRP to form adjacencies. VRRP is designed to provide end-users devices and servers default gateway/router redundancy. For instance, EIGRP neighbor relationship are not formed with the VRRP Virtual IP Address but with the physical interface IP address. As such if you are using VRRP along with a dynamic routing protocol you should ensure your routes prefer the active router unless offline to avoid issues as only the active VRRP router for a group will forward packets.

In the network below there are a total of two routers, two end-user computers and one server. In the example below we will configure three VRRP groups, two for the LAN and one for the WAN network. R1 will be the primary gateway for PC1, and R2 the primary gateway for PC2. This will make use of both routers to prevent network capacity from being underutilized. R1 will be the active router for the 1.1.1.0/29 network and failover and failback must occur automatically. VRRP groups will also make use of authentication to prevent any rogue routers from interfering with VRRP operations.

Steps to configure VRRP

Step 1: Configure all applicable router interfaces on the routers R1 and R2, respectively.

R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 1.1.1.1 255.255.255.248
!
R1(config)#interface FastEthernet0/1
R1(config-if)#ip address 10.1.0.1 255.255.255.0
R2(config)#interface FastEthernet0/0
R2(config-if)#ip address 1.1.1.2 255.255.255.248
!
R2(config)#interface FastEthernet0/1
R2(config-if)#ip address 10.1.0.2 255.255.255.0

Step 2: On Router R1 configure VRRP groups using the vrrp command, set the group virtual IP and priority 105 for VRRP groups 1 and 2 only. This will be repeated for both interfaces but each interface will participate in a separate VRRP group.

R1(config)#interface FastEthernet0/1
R1(config-if)#vrrp 1 ip 10.1.0.3
R1(config-if)#vrrp 1 priority 105
R1(config-if)#vrrp 3 ip 10.1.0.4
!
R1(config)#interface FastEthernet0/0
R1(config-if)#vrrp 2 ip 1.1.1.3
R1(config-if)#vrrp 2 priority 105

Step 3: On Router R2 configure a VRRP group using the vrrp command, set the group virtual IP and priority 105 for VRRP group 3 only. This will be repeated for both interfaces but each interface again will participate in separate VRRP groups.

R2(config)#interface FastEthernet0/1
R2(config-if)#vrrp 1 ip 10.1.0.3
R2(config-if)#vrrp 3 ip 10.1.0.4
R2(config-if)#vrrp 3 priority 105
!
R2(config)#interface FastEthernet0/0
R2(config-if)#vrrp 2 ip 1.1.1.3

NOTE: The vrrp 1 priority 105 is used to specify a higher priority for R1 ensuring it is always the active VRRP router. The default priority for VRRP routers is 100 and the default decrement is 10. This is the mechanism for R1 to enforce the higher priority and fail back from R2 to R1 when R1 comes back online.

Step 4: Configure VRRP tracking on R1 to decrement the routers priority when it sees any interface down. This is important because if one interface on either side of the router is down any traffic coming into the router will be unable to reach the desired destination.

R1(config)#track 1 interface FastEthernet0/0 line-protocol
R1(config)#track 2 interface FastEthernet0/1 line-protocol
!
R1(config)#interface FastEthernet0/1
R1(config-if)#vrrp 1 track 1 decrement 10
R1(config-if)#vrrp 1 track 2 decrement 10
R1(config-if)#vrrp 3 track 1 decrement 10
R1(config-if)#vrrp 3 track 2 decrement 10
!
R1(config)#interface FastEthernet0/0
R1(config-if)#vrrp 2 track 1 decrement 10
R1(config-if)#vrrp 2 track 2 decrement 10

Step 5: Repeat the steps again to configure VRRP tracking on R2.

R2(config)#track 1 interface FastEthernet0/0 line-protocol
R2(config)#track 2 interface FastEthernet0/1 line-protocol
!
R2(config)#interface FastEthernet0/1
R2(config-if)#vrrp 1 track 1 decrement 10
R2(config-if)#vrrp 1 track 2 decrement 10
R2(config-if)#vrrp 3 track 1 decrement 10
R2(config-if)#vrrp 3 track 2 decrement 10
!
R2(config)#interface FastEthernet0/0
R2(config-if)#vrrp 2 track 1 decrement 10
R2(config-if)#vrrp 2 track 2 decrement 10

Step 6: Configure VRRP authentication on R1 to prevent any unintended routers from joining the VRRP groups and causing unexpected results.

R1(config)#interface FastEthernet0/1
R1(config-if)#vrrp 1 authentication text password
R1(config-if)#vrrp 3 authentication text password
!
R1(config)#interface FastEthernet0/0
R1(config-if)#vrrp 2 authentication text password

Step 7: Repeat the steps again to configure VRRP authentication on R2.

R2(config)#interface FastEthernet0/1
R2(config-if)#vrrp 1 authentication text password
R2(config-if)#vrrp 3 authentication text password
!
R2(config)#interface FastEthernet0/0
R2(config-if)#vrrp 2 authentication text password

Verify the configuration

Now that the configuration is finished lets verify our VRRP deployment. Using the ping, traceroute and show ip route on PC1 we can verify connectivity, the path used to reach the destination and default gateway. You will find ping is successful from PC1 to Server and the path is PC1 to R1 to Server. On PC2 you will find ping is also successful but the path PC2 takes to reach Server is PC2 to R2 to Server.


On R1 issue the show vrrp command to verify the active VRRP routers. This will confirm R1 is the active router for groups 1 and 2, and R2 is the active router for group 3.

Now let's shutdown an interface on R1 and perform the same steps from PC1. As you can see everything functions the same with the only exception your default gateway, 10.1.0.3, is routed through the backup router R2 which is now the active VRRP router for VRRP groups 1, 2, and 3.

For the last verification step turn R1 back on and repeat the steps again. Your default gateway, 10.1.0.3, will again be routed through tR1 and is once again the active router for groups 1 and 2.

Categories: Cisco NetworkingCisco Routing

Related Posts

Cisco Networking

BGP Load Sharing

Load balancing with BGP is not possible in a multihomed environment with two ISPs. BGP selects only the single best path to a destination among the BGP paths that are learned from different ASs, which Read more…

Cisco Firewall

Configuring Dynamic Multipoint VPN and Zone Based Firewall

DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. Read more…

Cisco Networking

Configuring Layer 2 MPLS VPN

Layer 2 VPNs are a type of Virtual Private Network (VPN) that uses MPLS labels to transport data. The communication occurs between routers that are known as Provider Edge routers (PEs), as they sit on Read more…