Setup

Today we’ll cover Virtual Router Redundancy Protocol (VRRP) which in basic terms provides IP address availability and luckily its about as easy to setup as it is to say. It allows for the creation of one or more IPs and MAC addresses per VLAN that are shared by multiple routers. When the first router fails or becomes otherwise unavailable the next router in priority takes the IP (called virtual IP) and MAC. The obvious application for this feature, and the one we’ll be covering here, is to ensure that your gateway is always available. Anyone coming from a Cisco background will quickly recognize this as a derivative of Hot Standby Router Protocol (HSRP). This configuration was done on a 5400zl, but the same should apply to any ProCurve that supports VRRP.

Configuration of HP’s VRRP is relatively straightforward. To get started, we need to globally enable both ip routing and router vrrp. These settings will need to be enabled on all routers involved in the VRRP implementation.

 ip routing
 router vrrp
 enable
 exit

VRRP is configured per-VLAN and using VLAN 20 as our example, we’ll configure our first router as the owner. The owner is the highest priority router for the VLAN and the one routing the data if its available. The VLAN IP and the Virtual IP for the owner will be identical. The VRID is a unique identifier for this VLAN VRRP instance. This means two-fold: Firstly, you can use the same VRID for another VLAN and secondly you can have multiple redundant IPs per VLAN.

 vlan 20
 name "Server"
 ip address 172.16.2.1 255.255.254.0
 vrrp vrid 20
 owner
 virtual-ip-address 172.16.2.1 255.255.254.0
 enable
 exit
 exit

Now that we have an owner, we need to configure our first backup router. Not forgetting to enable ip routing and router vrrp we then create the same VLAN with the same VRID, the same Virtual IP and it’s own IP address. We’ll set the priority relatively high at 200 (our owner is 255).

 vlan 20
 name "Server"
 ip address 172.16.2.2 255.255.254.0
 vrrp vrid 20
 backup
 virtual-ip-address 172.16.2.1 255.255.254.0
 priority 200
 enable
 exit
 exit

We’ll then create our second backup router using the same settings as above, with the exception of a lower priority.

 vlan 20
 name "Server"
 ip address 172.16.2.3 255.255.254.0
 vrrp vrid 20
 backup
 virtual-ip-address 172.16.2.1 255.255.254.0
 priority 100
 enable
 exit
 exit

We now have a double-redundant gateway for our VLAN. You can now expand this configuration for each of the VLANs on your routers. While there are other tweaks that can be done, such as modifying the VRRP advertisement interval or the preempt mode, unless you have a special circumstance you’ll want to leave the default settings.

Usage

After implementing your new VRRP, there are a few things you’ll want to keep an eye on. Using show vrrp will give you a good overview of your setup. Generally you’re looking to make sure your owners are staying masters and your backups are receiving advertise packets. If you start seeing your Near Failover and Become Master counts going up, you’ll want to investigate it ASAP as you’re going to see packet loss as the gateway juggles between the switches.

Considerations

• VRID# – Now one thing you’ll likely notice in our configuration is that I’ve assigned the same number to both the vlan and the vrid. Why? The vrid is unique per vlan, meaning that you can have vrid 1 on multiple vlans with different subnets assigned to them and its completely independent. The “problem” is that despite being independent, the MAC address for the vrid is created using the vrid number so if you use the same vrid number on another subnet you’ll get the same MAC address. You might thinking, “But if they are on different subnets, what does it matter that they share MAC’s?” Stictly speaking it doesn’t, but it can be the cause of confusion and when you’re dealing with an outage or a investigating a failover you probably want things to be as clear as possible.

 VRRP Virtual Router Statistics Information

Vlan ID : 20
 Virtual Router ID : 1
 State : Master
 Up Time : 23 days
 Virtual MAC Address : 00005e-000101
 Master's IP Address : 172.16.2.1
 Associated IP Addr Count : 1 Near Failovers : 0
 Advertise Pkts Rx : 0 Become Master : 1
 Zero Priority Rx : 0 Zero Priority Tx : 0
 Bad Length Pkts : 0 Bad Type Pkts : 0
 Mismatched Interval Pkts : 0 Mismatched Addr List Pkts : 0
 Mismatched IP TTL Pkts : 0 Mismatched Auth Type Pkts : 0

VRRP Virtual Router Statistics Information

Vlan ID : 40
 Virtual Router ID : 1
 State : Master
 Up Time : 24 days
 Virtual MAC Address : 00005e-000101
 Master's IP Address : 172.20.4.1
 Associated IP Addr Count : 1 Near Failovers : 0
 Advertise Pkts Rx : 1 Become Master : 2
 Zero Priority Rx : 0 Zero Priority Tx : 0
 Bad Length Pkts : 0 Bad Type Pkts : 0
 Mismatched Interval Pkts : 0 Mismatched Addr List Pkts : 0
 Mismatched IP TTL Pkts : 0 Mismatched Auth Type Pkts : 0

• Virtual-IP-Ping – According to VRRP RFC 376 – Section 6.4.3, the backup router should not respond to pings to the virtual IP. Without enabling this feature, anyone monitoring the system would quickly see when the owner has gone down, but would be oblivious to whether the backup has taken master. Now if you’re configuring by the book, you should have SNMP traps configured to catch this instance, but that’s relying on the device to report. In a perfect world you’d have multiple ways to track an outage and this is why I enable virtual-ip-ping.
• Licensing – If you have a relatively new unit, you won’t have to worry about this, but anyone with an old 5400zl series ProCurve will need to purchase a Premium license to get this functionality.