Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide, Release 10.5(x)

About VRRP

VRRP allows for a transparent failover at the first-hop IP router by configuring a group of routers to share a virtual IP address. VRRP selects an allowed router in that group to handle all packets for the virtual IP address. The remaining routers are in standby and take over if the allowed router fails.

VRRP Operation

A LAN client can determine which router should be the first hop to a particular remote destination by using a dynamic process or static configuration. Examples of dynamic router discovery are as follows:

Proxy ARP—The client uses Address Resolution Protocol (ARP) to get the destination it wants to reach, and a router responds to the ARP request with its own MAC address.

Routing protocol—The client listens to dynamic routing protocol updates (for example, from Routing Information Protocol [RIP]) and forms its own routing table.

ICMP Router Discovery Protocol (IRDP) client—The client runs an Internet Control Message Protocol (ICMP) router discovery client.

The disadvantage to dynamic discovery protocols is that they incur some configuration and processing overhead on the LAN client. Also, if a router fails, the process of switching to another router can be slow.

An alternative to dynamic discovery protocols is to statically configure a default router on the client. Although this approach simplifies client configuration and processing, it creates a single point of failure. If the default gateway fails, the LAN client is limited to communicating only on the local IP network segment and is cut off from the rest of the network.

VRRP can solve the static configuration problem by enabling a group of routers (a VRRP group) to share a single virtual IP address. You can then configure the LAN clients with the virtual IP address as their default gateway.

The following figure shows a basic VLAN topology. In this example, Routers A, B, and C form a VRRP group. The IP address of the group is the same address that was configured for the Ethernet interface of Router A (10.0.0.1).

Because the virtual IP address uses the IP address of the physical Ethernet interface of Router A, Router A is the primary (also known as the IP address owner). As the primary, Router A owns the virtual IP address of the VRRP group and forwards packets sent to this IP address. Clients 1 through 3 are configured with the default gateway IP address of 10.0.0.1.

Routers B and C function as backups. If the primary fails, the backup router with the highest priority becomes the primary and takes over the virtual IP address to provide uninterrupted service for the LAN hosts. When Router A recovers, it becomes the primary again.

Note

Packets received on a routed port destined for the VRRP virtual IP address terminate on the local router, regardless of whether that router is the primary VRRP router or a backup VRRP router. These packets include ping and Telnet traffic. Packets received on a Layer 2 (VLAN) interface destined for the VRRP virtual IP address terminate on the primary router.

VRRP Benefits

The benefits of VRRP are as follows:

Redundancy—Enables you to configure multiple routers as the default gateway router, which reduces the possibility of a single point of failure in a network.
Load sharing—Allows traffic to and from LAN clients to be shared by multiple routers. The traffic load is shared more equitably among available routers.
Multiple VRRP groups—Supports multiple VRRP groups on a router physical interface if the platform supports multiple MAC addresses. Multiple VRRP groups enable you to implement redundancy and load sharing in your LAN topology.
Multiple IP addresses—Allows you to manage multiple IP addresses, including secondary IP addresses. If you have multiple subnets that are configured on an Ethernet interface, you can configure VRRP on each subnet.
Preemption—Enables you to preempt a backup router that has taken over for a failing primary with a higher priority backup router that has become available.
Advertisement protocol—Uses a dedicated Internet Assigned Numbers Authority (IANA) standard multicast address (224.0.0.18) for VRRP advertisements. This addressing scheme minimizes the number of routers that must service the multicasts and allows test equipment to accurately identify VRRP packets on a segment. IANA has assigned the IP protocol number 112 to VRRP.
VRRP tracking—Ensures that the best VRRP router is the primary for the group by altering VRRP priorities based on interface states.

Multiple VRRP Groups

You can configure multiple VRRP groups on a physical interface. For the number of supported VRRP groups, see the Cisco Nexus 9000 Series NX-OS Verified Scalability Guide.

The number of VRRP groups that a router interface can support depends on the following factors:

Router processing capability
Router memory capability

In a topology where multiple VRRP groups are configured on a router interface, the interface can act as a primary for one VRRP group and as a backup for one or more other VRRP groups.

The following image shows a LAN topology in which VRRP is configured so that Routers A and B share the traffic to and from clients 1 through 4. Routers A and B act as backups to each other if either router fails.

Figure 2. Load Sharing and Redundancy VRRP Topology

This topology contains two virtual IP addresses for two VRRP groups that overlap. For VRRP group 1, Router A is the owner of IP address 10.0.0.1 and is the primary. Router B is the backup to Router A. Clients 1 and 2 are configured with the default gateway IP address of 10.0.0.1.

For VRRP group 2, Router B is the owner of IP address 10.0.0.2 and is the primary. Router A is the backup to router B. Clients 3 and 4 are configured with the default gateway IP address of 10.0.0.2.

VRRP Router Priority and Preemption

An important aspect of the VRRP redundancy scheme is the VRRP router priority because the priority determines the role that each VRRP router plays and what happens if the primary router fails.

If a VRRP router owns the virtual IP address and the IP address of the physical interface, this router functions as the primary. The priority of the primary is 255.

The priority also determines if a VRRP router functions as a backup router and the order of ascendancy to becoming a primary if the primary fails.

For example, if Router A, the primary in a LAN topology, fails, VRRP must determine if backups B or C should take over. If you configure Router B with priority 101 and Router C with the default priority of 100, VRRP selects Router B to become the primary because it has the higher priority. If you configure Routers B and C with the default priority of 100, VRRP selects the backup with the higher IP address to become the primary.

VRRP uses preemption to determine what happens after a VRRP backup router becomes the primary. With preemption enabled by default, VRRP switches to a backup if that backup comes online with a priority higher than the new primary. For example, if Router A is the primary and fails, VRRP selects Router B (next in order of priority). If Router C comes online with a higher priority than Router B, VRRP selects Router C as the new primary, even though Router B has not failed.

If you disable preemption, VRRP switches only if the original primary recovers or the new primary fails.

vPCs and VRRP

VRRP interoperates with virtual port channels (vPCs). vPCs allow links that are physically connected to two different Cisco Nexus 9000 Series switches to appear as a single port channel by a third device. See the Cisco Nexus 9000 Series NX-OS Layer 2 Switching Configuration Guide for more information on vPCs.

vPCs forward traffic through both the primary VRRP router and the backup VRRP router. See the Configuring VRRP Priority section.

Note

You should configure VRRP on the primary vPC peer device as active and VRRP on the vPC secondary device as standby.

VRRP Advertisements

The VRRP primary sends VRRP advertisements to other VRRP routers in the same group. The advertisements communicate the priority and state of the primary. Cisco NX-OS encapsulates the VRRP advertisements in IP packets and sends them to the IP multicast address assigned to the VRRP group. Cisco NX-OS sends the advertisements once every second by default, but you can configure a different advertisement interval.

VRRP Authentication

VRRP supports the following authentication functions:

No authentication
Plain text authentication

VRRP rejects packets in any of the following cases:

The authentication schemes differ on the router and in the incoming packet.
Text authentication strings differ on the router and in the incoming packet.

VRRP Tracking

VRRP supports the following options for tracking:

Native interface tracking—Tracks the state of an interface and uses that state to determine the priority of the VRRP router in a VRRP group. The tracked state is down if the interface is down or if the interface does not have a primary IP address.
Object tracking—Tracks the state of a configured object and uses that state to determine the priority of the VRRP router in a VRRP group. See Configuring Object Tracking for more information on object tracking.

If the tracked state (interface or object) goes down, VRRP updates the priority based on what you configure the new priority to be for the tracked state. When the tracked state comes up, VRRP restores the original priority for the virtual router group.

For example, you might want to lower the priority of a VRRP group member if its uplink to the network goes down so another group member can take over as primary for the VRRP group. See the Configuring VRRP Interface State Tracking section for more information.

Note

VRRP does not support Layer 2 interface tracking.

BFD for VRRP

This feature supports bidirectional forwarding detection (BFD). BFD is a detection protocol that provides fast-forwarding and path-failure detection times. BFD provides subsecond failure detection between two adjacent devices and can be less CPU-intensive than protocol hello messages because some of the BFD load can be distributed onto the data plane on supported modules. See the Cisco Nexus 9000 Series NX-OS Interfaces Configuration Guide for more information.

Information About VRRPv3 and VRRS

VRRP version 3 (VRRPv3) enables a group of switches to form a single virtual switch in order to provide redundancy and reduce the possibility of a single point of failure in a network. The LAN clients can then be configured with the virtual switch as their default gateway. The virtual switch, representing a group of switches, is also known as a VRRPv3 group.

Virtual Router Redundancy Service (VRRS) improves the scalability of VRRPv3 by providing a stateless redundancy service to VRRS pathways and VRRS clients by monitoring VRRPv3. VRRPv3 acts as a VRRS server that pushes VRRPv3 status information (such as current and previous redundancy states, active and inactive Layer 2 and Layer 3 addresses, and so on) to VRRS pathways and all registered VRRS clients.

VRRS clients are other Cisco processes or applications that use VRRPv3 to provide or withhold a service or resource dependent upon the state of the group. VRRS pathways are special VRRS clients that use the VRRS database information to provide scaled first-hop gateway redundancy across scaled interface environments.

VRRS by itself is limited to maintaining its own state. Linking a VRRS client to a VRRPv3 group provides a mechanism that allows VRRS to provide a service to client applications so that they can implement stateless or Stateful Failovers. A Stateful Failover requires communication with a nominated backup before the failure so that operational data is not lost when the failover occurs.

VRRS pathways operate in a similar way to clients but are integrated with the VRRS architecture. They provide a means to scale first-hop gateway redundancy by allowing you to configure a virtual address across hundreds of interfaces. The virtual gateway state of a VRRS pathway follows the state of a First-Hop Redundancy Protocol (FHRP) VRRS server.

VRRPv3 notifies VRRS of its current state (primary, backup, or nonoperational initial state [INIT]) and passes that information to pathways or clients. The VRRPv3 group name activates VRRS and associates the VRRPv3 group with any clients or pathways that are configured as part of VRRS with the same name.

Pathways and clients act on the VRRPv3 server state. When a VRRPv3 group changes states, VRRS pathways and clients alter their behavior (performing tasks such as shutting down interfaces or appending accounting logs) depending on the state that is received from VRRS.

VRRPv3 Benefits

The benefits of VRRPv3 are as follows:

Interoperability in multi-vendor environments
Support for the IPv4 and IPv6 address families
Improved scalability through the use of VRRS pathways

VRRPv3 Object Tracking

Beginning with Cisco NX-OS Release 9.2(2), VRRPv3 supports object tracking, which tracks the state of a configured object and uses that state to determine the priority of the VRRPv3 router in a VRRPv3 group. See Configuring Object Tracking for more information on object tracking.

If the tracked object goes down, VRRPv3 decrements the priority by the configured value. The default value is 10. If the same tracked object goes down again, no action is taken. When the tracked object comes up, VRRPv3 increments the priority by the configured value.

Note

VRRPv3 does not support Layer 2 interface tracking or native interface tracking.

High Availability

VRRP supports high availability through stateful restarts and stateful switchovers. A stateful restart occurs when the VRRP process fails and is restarted. A stateful switchover occurs when the active supervisor switches to the standby supervisor. Cisco NX-OS applies the run-time configuration after the switchover.

VRRPv3 does not support stateful switchovers.

Virtualization Support

VRRP supports virtual routing and forwarding (VRF) instances.

Guidelines and Limitations for VRRP

VRRP has the following configuration guidelines and limitations:

You cannot configure VRRP on the management interface.
When VRRP is enabled, you should replicate the VRRP configuration across devices in your network.
We recommend that you do not configure more than one first-hop redundancy protocol on the same interface.
You must configure an IP address for the interface on which you configure VRRP and enable that interface before VRRP becomes active.
Cisco NX-OS removes all Layer 3 configurations on an interface when you change the interface VRF membership or the port channel membership or when you change the port mode to Layer 2.
When you configure VRRP to track a Layer 2 interface, you must shut down the Layer 2 interface and reenable the interface to update the VRRP priority to reflect the state of the Layer 2 interface.

BFD for VRRP can only be configured between two routers.

Guidelines and Limitations for VRRPv3

VRRPv3 has the following configuration guidelines and limitations:

In release 9.3(1), the VRRPv3 feature supports a maximum of 4095 VRRPv3 groups and VRRS pathways on Cisco Nexus 9504, 9508, and 9516 switches with -R line cards.
VRRPv3 is not intended as a replacement for existing dynamic protocols. VRRPv3 is designed for use over multi-access, multicast, or broadcast-capable Ethernet LANs.
VRRPv3 is supported only on Ethernet and Fast Ethernet interfaces, bridge group virtual interfaces (BVIs), Gigabit Ethernet interfaces, and VLANs.
When VRRPv3 is in use, VRRPv2 is unavailable. To configure VRRPv3, you must disable any VRRPv2 configuration.
VRRS is currently available only for use with VRRPv3.
Use VRRPv3 millisecond timers only where absolutely necessary and with careful consideration and testing. Millisecond values work only under favorable circumstances. The millisecond timer values are compatible with third-party vendors as long as they also support VRRPv3.
Full network redundancy can be achieved only if VRRPv3 operates over the same network path as the VRRS pathway redundant interfaces. For full redundancy, the following restrictions apply:
- VRRS pathways should use the same physical interface as the parent VRRPv3 group or be configured on a subinterface with the same physical interface as the parent VRRPv3 group.
- VRRS pathways can be configured on switch virtual interfaces (SVIs) only if the associated VLAN shares the same trunk as the VLAN on which the parent VRRPv3 group is configured.
Unlike VRRPv2, VRRPv3 does not support bidirectional forwarding for faster failure detection.
Unlike VRRPv2, VRRPv3 does not support native interface tracking.
You must create the object before configuring object tracking.
The following guidelines and limitations apply to VRRPv3 object tracking:
- Beginning with Cisco NX-OS Release 9.2(2), all Cisco Nexus 9000 Series switches and line cards support VRRPv3 object tracking.
- We recommend that you do not use VRRPv3 object tracking in a vPC domain.

Default Settings for VRRP Parameters

The following table lists the default settings for VRRP parameters.

Table 1. Default VRRP Parameters
Parameters	Default
VRRP	Disabled
Advertisement interval	1 second
Authentication	No authentication
Preemption	Enabled
Priority	100

Default Settings for VRRPv3 Parameters

The following table lists the default settings for VRRPv3 parameters.

Table 2. Default VRRPv3 Parameters
Parameters	Default
VRRPv3	Disabled
VRRS	Disabled
VRRPv3 secondary address matching	Enabled
Priority of a VRRPv3 group	100
VRRPv3 advertisement timer	1000 milliseconds

Configuring VRRP

Note

If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.

Enabling VRRP

You must globally enable VRRP before you configure and enable any VRRP groups.

SUMMARY STEPS

configure terminal
[no] feature vrrp
(Optional) copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] feature vrrp

Example:

switch(config)# feature vrrp

Enables VRRP. Use the no form of this command to disable VRRP.

Step 3

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

Configuring VRRP Groups

You can create a VRRP group, assign the virtual IP address, and enable the group.

You can configure one virtual IPv4 address for a VRRP group. By default, the primary VRRP router drops the packets addressed directly to the virtual IP address because the VRRP primary is intended only as a next-hop router to forward packets. Some applications require that Cisco NX-OS accept packets that are addressed to the virtual router IP address. Use the secondary option to the virtual IP address to accept these packets when the local router is the VRRP primary.

Once you have configured the VRRP group, you must explicitly enable the group before it becomes active.

Before you begin

Ensure that you have configured an IP address on the interface. See Configuring IPv4 Addressing.

SUMMARY STEPS

configure terminal
interface interface-type slot/port
vrrp number
address ip-address [secondary]
no shutdown
(Optional) show vrrp
(Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	interface `interface-type slot/port` Example: `switch(config)# interface ethernet 2/1 switch(config-if)#`	Enters interface configuration mode.
Step 3	vrrp `number` Example: `switch(config-if)# vrrp 250 switch(config-if-vrrp)#`	Creates a virtual router group. The range is 1–255.
Step 4	address `ip-address` [secondary] Example: `switch(config-if-vrrp)# address 192.0.2.8`	Configures the virtual IPv4 address for the specified VRRP group. This address should be in the same subnet as the IPv4 address of the interface. Use the secondary option only if applications require that VRRP routers accept the packets sent to the virtual router's IP address and deliver to applications.
Step 5	no shutdown Example: `switch(config-if-vrrp)# no shutdown`	Enables the VRRP group, which is disabled by default.
Step 6	(Optional) show vrrp Example: `switch(config-if-vrrp)# show vrrp`	(Optional) Displays a summary of VRRP information.
Step 7	(Optional) copy running-config startup-config Example: `switch(config-if-vrrp)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Configuring VRRP Priority

The valid priority range for a virtual router is from 1 to 254 (1 is the lowest priority and 254 is the highest). The default priority value for backups is 100. For devices whose interface IP address is the same as the primary virtual IP address (the primary), the default value is 255.

If you configure VRRP on a vPC-enabled interface, you can optionally configure the upper and lower threshold values to control when to fail over to the vPC trunk. If the backup router priority falls below the lower threshold, VRRP sends all backup router traffic across the vPC trunk to forward through the primary VRRP router. VRRP maintains this scenario until the backup VRRP router priority increases above the upper threshold.

Before you begin

Ensure that you have configured an IP address on the interface. See Configuring IPv4 Addressing.

Ensure that you have enabled VRRP. (see the Configuring VRRP section).

SUMMARY STEPS

configure terminal
interface interface-type slot/port
vrrp number
shutdown
priority level [forwarding-threshold lower lower-value upper upper-value]
no shutdown
(Optional) show vrrp
(Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	interface `interface-type slot/port` Example: `switch(config)# interface ethernet 2/1 switch(config-if)#`	Enters interface configuration mode.
Step 3	vrrp `number` Example: `switch(config-if)# vrrp 250 switch(config-if-vrrp)#`	Creates a virtual router group.
Step 4	shutdown Example: `switch(config-if-vrrp)# shutdown`	Disables the VRRP group.
Step 5	priority `level` [forwarding-threshold lower `lower-value` upper `upper-value`] Example: `switch(config-if-vrrp)# priority 60 forwarding-threshold lower 40 upper 50`	Sets the priority level used to select the active router in a VRRP group. The `level` range is 1–254. The default is 100 for backups and 255 for a primary that has an interface IP address equal to the virtual IP address. Optionally, sets the upper and lower threshold values that are used by vPC to determine when to fail over to the vPC trunk. The `lower-value` range is 1–255. The default is 1. The `upper-value` range is 1–255. The default is 255.
Step 6	no shutdown Example: `switch(config-if-vrrp)# no shutdown`	Enables the VRRP group.
Step 7	(Optional) show vrrp Example: `switch(config-if-vrrp)# show vrrp`	(Optional) Displays a summary of VRRP information.
Step 8	(Optional) copy running-config startup-config Example: `switch(config-if-vrrp)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Configuring VRRP Authentication

You can configure simple text authentication for a VRRP group.

Before you begin

Ensure that you have configured an IP address on the interface (see Configuring IPv4 Addressing).

Ensure that you have enabled VRRP (see the Configuring VRRP section).

Ensure that the authentication configuration is identical for all VRRP devices in the network.

SUMMARY STEPS

configure terminal
interface interface-type slot/port
vrrp number
shutdown
authentication text password
no shutdown
(Optional) show vrrp
(Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	interface `interface-type slot/port` Example: `switch(config)# interface ethernet 2/1 switch(config-if)#`	Enters interface configuration mode.
Step 3	vrrp `number` Example: `switch(config-if)# vrrp 250 switch(config-if-vrrp)#`	Creates a virtual router group.
Step 4	shutdown Example: `switch(config-if-vrrp)# shutdown`	Disables the VRRP group.
Step 5	authentication text `password` Example: `switch(config-if-vrrp)# authentication text aPassword`	Assigns the simple text authentication option and specifies the keyname password. The keyname range is from 1 to 255 characters. We recommend that you use at least 16 characters. The text password is up to eight alphanumeric characters.
Step 6	no shutdown Example: `switch(config-if-vrrp)# no shutdown`	Enables the VRRP group, which is disabled by default.
Step 7	(Optional) show vrrp Example: `switch(config-if-vrrp)# show vrrp`	(Optional) Displays a summary of VRRP information.
Step 8	(Optional) copy running-config startup-config Example: `switch(config-if-vrrp)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Configuring Time Intervals for Advertisement Packets

You can configure the time intervals for advertisement packets.

Before you begin

Ensure that you have configured an IP address on the interface (see Configuring IPv4 Addressing).

Ensure that you have enabled VRRP (see the Configuring VRRP section).

SUMMARY STEPS

configure terminal
interface interface-type slot/port
vrrp number
shutdown
advertisement interval seconds
no shutdown
(Optional) show vrrp
(Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	interface `interface-type slot/port` Example: `switch(config)# interface ethernet 2/1 switch(config-if)#`	Enters interface configuration mode.
Step 3	vrrp `number` Example: `switch(config-if)# vrrp 250 switch(config-if-vrrp)#`	Creates a virtual router group.
Step 4	shutdown Example: `switch(config-if-vrrp)# shutdown`	Disables the VRRP group.
Step 5	advertisement interval `seconds` Example: `switch(config-if-vrrp)# advertisement-interval 15`	Sets the interval time in seconds between sending advertisement frames. The range is from 1 to 255. The default is 1 second.
Step 6	no shutdown Example: `switch(config-if-vrrp)# no shutdown`	Enables the VRRP group.
Step 7	(Optional) show vrrp Example: `switch(config-if-vrrp)# show vrrp`	(Optional) Displays a summary of VRRP information.
Step 8	(Optional) copy running-config startup-config Example: `switch(config-if-vrrp)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Disabling Preemption

You can disable preemption for a VRRP group member. If you disable preemption, a higher-priority backup router does not take over for a lower-priority primary router. Preemption is enabled by default.

Before you begin

Ensure that you have configured an IP address on the interface. See Configuring IPv4 Addressing.

Ensure that you have enabled VRRP. See the Configuring VRRP section.

SUMMARY STEPS

configure terminal
interface interface-type slot/port
vrrp number
shutdown
no preempt
no shutdown
(Optional) show vrrp
(Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	interface `interface-type slot/port` Example: `switch(config)# interface ethernet 2/1 switch(config-if)#`	Enters interface configuration mode.
Step 3	vrrp `number` Example: `switch(config-if)# vrrp 250 switch(config-if-vrrp)#`	Creates a virtual router group.
Step 4	shutdown Example: `switch(config-if-vrrp)# shutdown`	Disables the VRRP group.
Step 5	no preempt Example: `switch(config-if-vrrp)# no preempt`	Disables the preempt option and allows the primary to remain when a higher-priority backup appears.
Step 6	no shutdown Example: `switch(config-if-vrrp)# no shutdown`	Enables the VRRP group.
Step 7	(Optional) show vrrp Example: `switch(config-if-vrrp)# show vrrp`	(Optional) Displays a summary of VRRP information.
Step 8	(Optional) copy running-config startup-config Example: `switch(config-if-vrrp)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Configuring VRRP Interface State Tracking

Interface state tracking changes the priority of the virtual router based on the state of another interface in the device. When the tracked interface goes down or the IP address is removed, Cisco NX-OS assigns the tracking priority value to the virtual router. When the tracked interface comes up and an IP address is configured on this interface, Cisco NX-OS restores the configured priority to the virtual router (see the Configuring VRRP Priority section).

Note

VRRP does not support Layer 2 interface tracking.

Before you begin

Ensure that you have configured an IP address on the interface (see Configuring IPv4 Addressing).

Ensure that you have enabled VRRP (see the Configuring VRRP section).

Ensure that you have enabled the virtual router (see the Configuring VRRP Groups section).

Ensure that you have enabled preemption on the interface.

SUMMARY STEPS

configure terminal
interface interface-type slot/port
vrrp number
shutdown
track interface type slot/port priority value
no shutdown
(Optional) show vrrp
(Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	interface `interface-type slot/port` Example: `switch(config)# interface ethernet 2/1 switch(config-if)#`	Enters interface configuration mode.
Step 3	vrrp `number` Example: `switch(config-if)# vrrp 250 switch(config-if-vrrp)#`	Creates a virtual router group.
Step 4	shutdown Example: `switch(config-if-vrrp)# shutdown`	Disables the VRRP group.
Step 5	track interface `type slot/port` priority `value` Example: `switch(config-if-vrrp)# track interface ethernet 2/10 priority 254`	Enables interface priority tracking for a VRRP group. The priority range is from 1 to 254.
Step 6	no shutdown Example: `switch(config-if-vrrp)# no shutdown`	Enables the VRRP group.
Step 7	(Optional) show vrrp Example: `switch(config-if-vrrp)# show vrrp`	(Optional) Displays a summary of VRRP information.
Step 8	(Optional) copy running-config startup-config Example: `switch(config-if-vrrp)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Configuring VRRP Object Tracking

You can track an IPv4 object using VRRP.

Before you begin

Make sure that VRRP is enabled.

Configure object tracking using the commands in Configuring Object Tracking section.

SUMMARY STEPS

configure terminal
interface type number
vrrp number address-family ipv4
track object-number decrement number
(Optional) show running-config vrrp
(Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	interface type number Example: `switch(config)# switch(config-if)# interface ethernet 2/1 switch(config-if)#`	Specifies an interface and enters interface configuration mode.
Step 3	vrrp `number` address-family ipv4 Example: `switch(config-if)# vrrp 5 address-family ipv4 switch(config-if-vrrp-group)#`	Creates a VRRP group for IPv4 and enters VRRP vrrp number address-family ipv4 group configuration mode. The range is from 1 to 255.
Step 4	track `object-number` decrement `number` Example: `switch(config-if-vrrp-group)# track 1 decrement 2`	Creates a virtual router group. The range is from 1 to 255.
Step 5	(Optional) show running-config vrrp Example: `switch(config-if-vrrp-group)# show running-config vrrp`	(Optional) Displays the running configuration for VRRP.
Step 6	(Optional) copy running-config startup-config Example: `switch(config-if-vrrp-group)# copy running-config startup-config`	(Optional) Saves this configuration change.

Configuring VRRPv3

Enabling VRRPv3 and VRRS

You must globally enable VRRPv3 before you can configure and enable any VRRPv3 groups.

SUMMARY STEPS

configure terminal
[no] feature vrrpv3
(Optional) copy running-config startup-config

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no] feature vrrpv3

Example:

switch(config)# feature vrrpv3

Enables VRRP version 3 and Virtual Router Redundancy Service (VRRS). The no form of this command disables VRRPv3 and VRRS.

If VRRPv2 is currently configured, use the no feature vrrp command in global configuration mode to remove the VRRPv2 configuration and then use the feature vrrpv3 command to enable VRRPv3.

Step 3

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

Creating VRRPv3 Groups

You can create a VRRPv3 group, assign the virtual IP address, and enable the group.

Before you begin

Make sure that VRRPv3 is enabled.

Make sure that you have configured an IP address on the interface.

SUMMARY STEPS

configure terminal
interface ethernet slot/port
vrrpv3 number address-family [ipv4 | ipv6]
(Optional) address ip-address [primary | secondary]
(Optional) description description
(Optional) match-address
(Optional) preempt [delay minimum seconds]
(Optional) priority level
(Optional) timers advertise interval
(Optional) vrrp2
(Optional) vrrs leader vrrs-leader-name
(Optional) shutdown
(Optional) show fhrp [interface-type interface-number] [verbose]
(Optional) show vrrpv3 interface-type interface-number
(Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	interface ethernet `slot/port` Example: `switch(config)# interface ethernet 2/1 switch(config-if)#`	Enters interface configuration mode.
Step 3	vrrpv3 `number` address-family [ipv4 \| ipv6] Example: `switch(config-if)# vrrpv3 5 address-family ipv4 switch(config-if-vrrpv3-group)#`	Creates a VRRPv3 group and enters VRRPv3 group configuration mode. The range is 1–255.
Step 4	(Optional) address `ip-address` [primary \| secondary] Example: `switch(config-if-vrrpv3-group)# address 100.0.1.10 primary`	(Optional) Specifies a primary or secondary IPv4 or IPv6 address for the VRRPv3 group. To utilize secondary IP addresses in a VRRPv3 group, you must first configure a primary IP address on the same group.
Step 5	(Optional) description `description` Example: `switch(config-if-vrrpv3-group)# description group3`	(Optional) Specifies a description for the VRRPv3 group. You can enter up to 80 alphanumeric characters.
Step 6	(Optional) match-address Example: `switch(config-if-vrrpv3-group)# match-address`	(Optional) Matches the secondary address in the advertisement packet against the configured address.
Step 7	(Optional) preempt [delay minimum `seconds`] Example: `switch(config-if-vrrpv3-group)# preempt delay minimum 30`	(Optional) Enables preemption of a lower priority primary switch with an optional delay. The range is 0–3600.
Step 8	(Optional) priority `level` Example: `switch(config-if-vrrpv3-group)# priority 3`	(Optional) Specifies the priority of the VRRPv3 group. The range is 1–254.
Step 9	(Optional) timers advertise `interval` Example: `switch(config-if-vrrpv3-group)# timers advertise 1000`	(Optional) Sets the advertisement timer in milliseconds. The range is 100–40950. Cisco recommends that you set this timer to a value greater than or equal to 1 second.
Step 10	(Optional) vrrp2 Example: `switch(config-if-vrrpv3-group)# vrrp2`	(Optional) Enables support for VRRPv2 simultaneously to ensure interoperability with devices that support only VRRPv2. VRRPv2 compatibility mode is provided to allow an upgrade from VRRPv2 to VRRPv3. This is not a full VRRPv2 implementation and should be used only to perform an upgrade.
Step 11	(Optional) vrrs leader `vrrs-leader-name` Example: `switch(config-if-vrrpv3-group)# vrrs leader leader1`	(Optional) Specifies a leader's name to be registered with VRRS.
Step 12	(Optional) shutdown Example: `switch(config-if-vrrpv3-group)# shutdown`	(Optional) Disables the VRRP configuration for the VRRPv3 group.
Step 13	(Optional) show fhrp [`interface-type interface-number`] [verbose] Example: `switch(config-if-vrrpv3-group)# show fhrp ethernet 2/1 verbose`	(Optional) Displays First Hop Redundancy Protocol (FHRP) information. Use the verbose keyword to view detailed information.
Step 14	(Optional) show vrrpv3 `interface-type interface-number` Example: `switch(config-if-vrrpv3-group)# show vrrpv3 ethernet 2/1`	(Optional) Displays the VRRPv3 configuration information for the specified interface.
Step 15	(Optional) copy running-config startup-config Example: `switch(config-if-vrrpv3-group)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Configuring VRRPv3 Control Groups

You can configure VRRPv3 control groups.

Before you begin

Make sure that VRRPv3 is enabled.

Make sure that you have configured an IP address on the interface.

SUMMARY STEPS

configure terminal
interface ethernet slot/port
ip address ip-address mask [secondary]
vrrpv3 number address-family [ipv4 | ipv6]
(Optional) address ip-address [primary | secondary]
(Optional) shutdown
(Optional) show fhrp [interface-type interface-number] [verbose]
(Optional) show vrrpv3 interface-type interface-number
(Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	interface ethernet `slot/port` Example: `switch(config)# interface ethernet 2/1 switch(config-if)#`	Enters interface configuration mode.
Step 3	ip address `ip-address mask` [secondary] Example: `switch(config-if)# ip address 209.165.200.230 255.255.255.224`	Configures the IP address on the interface. You can use the secondary keyword to configure additional IP addresses on the interface.
Step 4	vrrpv3 `number` address-family [ipv4 \| ipv6] Example: `switch(config-if)# vrrpv3 5 address-family ipv4 switch(config-if-vrrpv3-group)#`	Creates a VRRPv3 group and enters VRRPv3 group configuration mode. The range is from 1 to 255.
Step 5	(Optional) address `ip-address` [primary \| secondary] Example: `switch(config-if-vrrpv3-group)# address 209.165.200.227 primary`	(Optional) Specifies a primary or secondary IPv4 or IPv6 address for the VRRPv3 group.
Step 6	(Optional) shutdown Example: `switch(config-if-vrrpv3-group)# shutdown`	(Optional) Disables the VRRP configuration for the VRRPv3 group.
Step 7	(Optional) show fhrp [`interface-type interface-number`] [verbose] Example: `switch(config-if-vrrpv3-group)# show fhrp ethernet 2/1 verbose`	(Optional) Displays First Hop Redundancy Protocol (FHRP) information. Use the verbose keyword to view detailed information.
Step 8	(Optional) show vrrpv3 `interface-type interface-number` Example: `switch(config-if-vrrpv3-group)# show vrrpv3 ethernet 2/1`	(Optional) Displays the VRRPv3 configuration information for the specified interface.
Step 9	(Optional) copy running-config startup-config Example: `switch(config-if-vrrpv3-group)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Configuring VRRPv3 Object Tracking

You can track an IPv4 or IPv4 object using VRRPv3.

Before you begin

Make sure that VRRPv3 is enabled.

Configure object tracking using the commands in Configuring Object Tracking section.

SUMMARY STEPS

configure terminal
interface type number
vrrpv3 number address-family [ipv4 | ipv6]
track object-number decrement number
(Optional) show running-config vrrpv3
(Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	interface type number Example: `switch(config)# switch(config-if)# interface ethernet 2/1 switch(config-if)#`	Specifies an interface and enters interface configuration mode.
Step 3	vrrpv3 `number` address-family [ipv4 \| ipv6] Example: `switch(config-if)# vrrpv3 5 address-family ipv6 switch(config-if-vrrpv3-group)#`	Creates a VRRPv3 group for IPv4 or IPv6 and enters VRRPv3 group configuration mode. The range is from 1 to 255.
Step 4	track `object-number` decrement `number` Example: `switch(config-if-vrrpv3-group)# object-track 1 decrement 2`	Configures the process to track the state of the IPv4 or IPv6 object using the VRRPv3 group. VRRPv3 on the interface registers with the tracking process to be informed of any changes to the object in the VRRPv3 group. If the object state on the interface goes down, the priority of the VRRPv3 group is reduced by the decrement number specified.
Step 5	(Optional) show running-config vrrpv3 Example: `switch(config-if-vrrp-group)# show running-config vrrp`	(Optional) Displays the running configuration for VRRPv3.
Step 6	(Optional) copy running-config startup-config Example: `switch(config-if-vrrp-group)# copy running-config startup-config`	(Optional) Saves this configuration change.

Configuring VRRS Pathways

You can configure a Virtual Router Redundancy Service (VRRS) pathway. In scaled environments, VRRS pathways should be used in combination with VRRPv3 control groups.

Before you begin

Make sure that VRRPv3 is enabled.

Make sure that you have configured an IP address on the interface.

SUMMARY STEPS

configure terminal
interface ethernet slot/port
ip address ip-address mask [secondary]
vrrs pathway vrrs-tag
mac address {mac-address | inherit}
address ip-address
(Optional) show vrrs pathway interface-type interface-number
(Optional) copy running-config startup-config

DETAILED STEPS

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	interface ethernet `slot/port` Example: `switch(config)# interface ethernet 2/1 switch(config-if)#`	Enters interface configuration mode.
Step 3	ip address `ip-address mask` [secondary] Example: `switch(config-if)# ip address 209.165.200.230 255.255.255.224`	Configures the IP address on the interface. You can use the secondary keyword to configure additional IP addresses on the interface.
Step 4	vrrs pathway `vrrs-tag` Example: `switch(config-if)# vrrs pathway path1 switch(config-if-vrrs-pw)#`	Defines the VRRS pathway for a VRRS group and enters VRRS pathway configuration mode. The `vrrs-tag` argument specifies the name of the VRRS tag that is being associated with the pathway.
Step 5	mac address {`mac-address` \| inherit} Example: `switch(config-if-vrrs-pw)# mac address fe24.fe24.fe24`	Specifies a MAC address for the pathway. The inherit keyword causes the pathway to inherit the virtual MAC address of the VRRPv3 group with which the pathway is associated.
Step 6	address `ip-address` Example: `switch(config-if-vrrs-pw)# address 209.165.201.10`	Defines the virtual IPv4 or IPv6 address for a pathway. A VRRPv3 group is capable of controlling more than one pathway.
Step 7	(Optional) show vrrs pathway `interface-type interface-number` Example: `switch(config-if-vrrs-pw)# show vrrs pathway ethernet 1/2`	(Optional) Displays the VRRS pathway information for different pathway states, such as active, inactive, and not ready.
Step 8	(Optional) copy running-config startup-config Example: `switch(config-if-vrrs-pw)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Verifying the VRRP Configuration

To display VRRP configuration information, perform one of the following tasks:


Command	Purpose
show interface `interface-type`	Displays the virtual router configuration for an interface.
show fhrp `interface-type interface-number`	Displays First Hop Redundancy Protocol (FHRP) information.
show vrrp [`group-number`]	Displays the VRRP status for all groups or for a specific VRRP group.

Verifying the VRRPv3 Configuration

To display VRRPv3 configuration information, perform one of the following tasks:


Command	Purpose
show vrrpv3 [all \| brief \| detail]	Displays the VRRPv3 configuration information.
show vrrpv3 `interface-type interface-number`	Displays the VRRPv3 configuration information for a specific interface.
show vrrs client [`client-name`]	Displays the VRRS client information.
show vrrs pathway [`interface-type interface-number`]	Displays the VRRS pathway information for different pathway states, such as active, inactive, and not ready.
show vrrs server	Displays the VRRS server information.
show vrrs tag [`tag-name`]	Displays the VRRS tag information.

Monitoring and Clearing VRRP Statistics

To display VRRP statistics, use the following commands:


Command	Purpose
show vrrp statistics	Displays the VRRP statistics.

Use the clear vrrp statistics command to clear the VRRP statistics for all interfaces on the device.

Monitoring and Clearing VRRPv3 Statistics

To display VRRPv3 statistics, use the following commands:


Command	Purpose
show vrrpv3 statistics	Displays the VRRPv3 statistics.

Use the clear vrrpv3 statistics command to clear the VRRPv3 statistics for all interfaces on the device.

Configuration Examples for VRRP

In this example, Router A and Router B each belong to three VRRP groups. In the configuration, each group has the following properties:

Group 1:
- Virtual IP address is 10.1.0.10.
- Router A becomes the primary for this group with priority 120.
- Advertising interval is 3 seconds.
- Pre-emption is enabled.
Group 5:
- Router B becomes the primary for this group with priority 200.
- Advertising interval is 30 seconds.
- Pre-emption is enabled.
Group 100:
- Router A becomes the primary for this group first because it has a higher IP address (10.1.0.2).
- Advertising interval is the default of 1 second.
- Pre-emption is disabled.

Router A

switch (config)# interface ethernet 1/1
switch (config-if)# ip address 10.1.0.1/16   
switch (config-if)# no shutdown
switch (config-if)# vrrp 1  
switch (config-if-vrrp)# priority 120 
switch (config-if-vrrp)# authentication text cisco
switch (config-if-vrrp)# advertisement-interval 3
switch (config-if-vrrp)# address 10.1.0.10 
switch (config-if-vrrp)# no shutdown
switch (config-if-vrrp)# exit
switch (config-if)# vrrp 5  
switch (config-if-vrrp)# priority 100 
switch (config-if-vrrp)# advertisement-interval 30 
switch (config-if-vrrp)# address 10.1.0.50 
switch (config-if-vrrp)# no shutdown
switch (config-if-vrrp)# exit
switch (config-if)# vrrp 100  
switch (config-if-vrrp)# no preempt 
switch (config-if-vrrp)# address 10.1.0.100 
switch (config-if-vrrp)# no shutdown

Router B

switch (config)# interface ethernet 1/1
switch (config-if)# ip address 10.1.0.2/16 
switch (config-if)# no shutdown
switch (config-if)# vrrp 1  
switch (config-if-vrrp)# priority 100 
switch (config-if-vrrp)# authentication text cisco 
switch (config-if-vrrp)# advertisement-interval 3 
switch (config-if-vrrp)# address 10.1.0.10 
switch (config-if-vrrp)# no shutdown
switch (config-if-vrrp)# exit
switch (config-if)# vrrp 5 
switch (config-if-vrrp)# priority 200 
switch (config-if-vrrp)# advertisement-interval 30 
switch (config-if-vrrp)# address 10.2.0.50 
switch (config-if-vrrp)# no shutdown
switch (config-if-vrrp)# exit
switch (config-if)# vrrp 100  
switch (config-if-vrrp)# no preempt 
switch (config-if-vrrp)# address 10.2.0.100 
switch (config-if-vrrp)# no shutdown

Configuration Examples for VRRPv3

This example shows how to enable VRRPv3 and create and customize a VRRPv3 group:

switch# configure terminal
switch(config)# feature vrrpv3
switch(config)# interface ethernet 4/6
switch(config-if)# vrrpv3 5 address-family ipv4 
switch(config-if-vrrp3-group)# address 209.165.200.225 primary
switch(config-if-vrrp3-group)# description group3
switch(config-if-vrrp3-group)# match-address
switch(config-if-vrrp3-group)# preempt delay minimum 30
switch(config-if-vrrpv3-group)# show fhrp ethernet 4/6 verbose
switch(config-if-vrrpv3-group)# show vrrpv3 ethernet 4/6

This example shows how to configure a VRRPv3 control group:

switch# configure terminal
switch(config)# interface ethernet 1/2
switch(config-if)# ip address 209.165.200.230 255.255.255.224
switch(config-if)# vrrpv3 5 address-family ipv4
switch(config-if-vrrpv3-group)# address 209.165.200.227 primary
switch(config-if-vrrpv3-group)# vrrs leader leader1
switch(config-if-vrrpv3-group)# shutdown
switch(config-if-vrrpv3-group)# show fhrp ethernet 1/2 verbose
switch(config-if-vrrpv3-group)# show vrrpv3 ethernet 1/2

This example shows how to configure object tracking for VRRPv3:

track 1 interface Ethernet1/12 ip routing
track 2 interface Ethernet1/12 ipv6 routing
track 3 interface Ethernet1/12 line-protocol
track 4 interface Ethernet1/12.1 ip routing
track 5 interface Ethernet1/12.1 ipv6 routing
track 6 interface Ethernet1/12.1 line-protocol
track 7 interface loopback1 ip routing
track 8 interface loopback1 ipv6 routing
track 9 interface loopback1 line-protocol
track 10 interface port-channel1 ip routing
track 11 interface port-channel1 ipv6 routing
track 12 interface port-channel1 line-protocol
track 13 ip route 170.10.10.10/24 reachability
track 14 ip route 180.10.10.0/24 reachability hmm
track 15 ipv6 route 2001::170:10:10:10/128 reachability
track 16 list boolean and
object 1
object 2
interface Vlan10
vrrpv3 10 address-family ipv4
timers advertise 100
priority 200
object-track 1 decrement 2
object-track 2 decrement 2
object-track 3 decrement 2
object-track 4 decrement 2
object-track 5 decrement 2
object-track 6 decrement 2
object-track 7 decrement 2
object-track 8 decrement 2
object-track 9 decrement 2
object-track 10 decrement 2
address 10.10.10.3 primary
interface Vlan10
vrrpv3 10 address-family ipv6
timers advertise 100
priority 200
object-track 1 decrement 4
object-track 2 decrement 4
object-track 3 decrement 4
object-track 4 decrement 4
object-track 5 decrement 4
object-track 6 decrement 4
object-track 7 decrement 4
object-track 8 decrement 4

This example shows how to configure VRRS pathways:

switch# configure terminal
switch(config)# interface ethernet 1/2
switch(config-if)# ip address 209.165.200.230 255.255.255.224
switch(config-if)# vrrs pathway path1
switch(config-if-vrrs-pw)# mac address inherit
switch(config-if-vrrs-pw)# address 209.165.201.10
switch(config-if-vrrs-pw)# show vrrs pathway ethernet 1/2

Related Topic	Document Title
Configuring the Hot Standby Routing Protocol (HSRP)	Configuring HSRP
Configuring high availability	Cisco Nexus 9000 Series NX-OS High Availability and Redundancy Guide

Bias-Free Language

Results

Chapter: Configuring VRRP

Configuring VRRP

About VRRP

VRRP Operation

VRRP Benefits

Multiple VRRP Groups

VRRP Router Priority and Preemption

vPCs and VRRP

VRRP Advertisements

VRRP Authentication

VRRP Tracking

BFD for VRRP

Information About VRRPv3 and VRRS

VRRPv3 Benefits

VRRPv3 Object Tracking

High Availability

Virtualization Support

Guidelines and Limitations for VRRP

Guidelines and Limitations for VRRPv3

Default Settings for VRRP Parameters

Default Settings for VRRPv3 Parameters

Configuring VRRP

Enabling VRRP

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Configuring VRRP Groups

Before you begin

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Configuring VRRP Priority

Before you begin

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Configuring VRRP Authentication

Before you begin

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Configuring Time Intervals for Advertisement Packets

Before you begin

SUMMARY STEPS

DETAILED STEPS

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Example:

Disabling Preemption

Before you begin