White Paper

Virtual Router
Redundancy Protocol
(VRRP)
The Virtual Router Redundancy Protocol (VRRP)

transfers the responsibility of routing from one router

to another if the original router goes down. This white

paper discusses how the Virtual Router Redundancy

Protocol (VRRP) works. It first gives a general introduction

to VRRP, then it gets into a detailed discussion about

how it works, illustrated with examples. Finally, there is

information on how to configure VRRP on an Passport*

routing switch.
Introduction to VRRP
VRRP transfers the responsibility of routing from one
router to another if the original router goes down. In
other words, it provides backup for a router connecting
a network to the outside world.

Routers are smart machines that are capable of making

routing decisions (assuming that some type of dynamic
routing is enabled) if there are any changes in the
topology. On the other hand, hosts cannot make routing
decisions on their own, even if there are such changes.

2 Virtual Router Redundancy Protocol (VRRP) White Paper

Hosts have a default gateway router
configured, and that router is the
connection between them and the outside
world. Hosts on one network can
communicate with hosts on any other
network, provided there is a route
between them.
Everything seems to work well as long
as the default gateway for the hosts on
the LAN is up and running. But what
happens if the default gateway goes down?
All hosts that have this router configured
as the default gateway lose connectivity
to the outside world.
There is a possibility that there is another
router that has a connection to this LAN
and to the rest of the network. Can this
working router take the responsibilities
of the router that went down? It can, but
only if you change the default gateway
on the hosts. When a host needs to
communicate with a host on a different
LAN, it sends the information to the
default gateway IP address. If that address
is down, then the connection is lost. To
transfer the responsibilities of this router
to the working router, you need to point
the traffic to the IP address of the working
router. This means that you need to
change the default gateway on the hosts,
and the connection will be resumed.
You need to keep in mind that it will take
a long time to reconfigure the default
gateway on a large number of hosts.
VRRP provides a solution for a situation
like this one. Assume, for example, that
there are two Passport routing switches:
A and B. Once VRRP is enabled on these
Passport switches, they go through the
process of deciding who will be the master.
First, both the Passport routing switches
will look at the virtual router's IP address,
and the one that owns it becomes the
master. Thus, if the network administra-
tor wants A to be the master, one way to
accomplish this is to define the virtual
router's IP address to be the same as the
IP address owned by Passport A. If the
virtual router's IP address is not owned
by any of the VRRP routing switches,
then the routing switches compare their
priorities and the higher priority owner
becomes the master. If the priorities are
identical, then the higher IP address wins.
For example, assume that A becomes
the master. In this case, B becomes the
backup routing switch and waits to hear
advertisements from A, which confirm
that A is alive. If routing switch A goes
down, its responsibilities are transferred
to routing switch B, without making any
change on the hosts. In case A comes up,
the responsibility of the master goes back
to A. Thus, with VRRP enabled on your
Passport routing switches, you can trans-
fer the responsibility of routing from one
routing switch to the other without making
any changes to the host configuration.
Detailed description
of VRRP
An example of VRRP is presented,
including the VRRP packet formation
and its contents. There are different cases
where VRRP routers go through the
process of deciding their roles as masters
and backups.
Figure 1: How VRRP works on a LAN.
Host A
200.1.1.12/24
Routing Switch 1
200.1.1.1/24
Master
Host B
200.1.1.11/24
Routing Switch 2
200.1.1.2/24
Backup
Host C
200.1.1.10/24
Virtual Router Redundancy Protocol (VRRP) White Paper
See Figure 1. This is a LAN with an IP
address of 200.1.1.0/24. There are multiple
hosts on this LAN and the LAN is connected
to two Passport routing switches, RS1
and RS2. These Passport routing switches
connect to router R, which allows them
to go to the Internet. It is up to the network
manager to decide which one of these two
routing switches should be the default
gateway for these hosts. In other words,
which route should be taken up by the
traffic going out of the LAN? (How the
traffic should flow out of that LAN would
depend on many factors, but that is
beyond the scope of this discussion).
Assume that in this case the network
manager decides that RS1 will be the
default gateway for the hosts on LAN
200.1.1.0/24. Thus, all the hosts on LAN
200.1.1.0/24 have RS1 configured as the
default gateway. Once RS1 is configured
for VRRP, it looks at the IP address of the
virtual router and compares it with the
IP addresses of its own interface that is
configured for VRRP. As routing switch
1 owns the virtual router's IP address,
it declares itself the master and sends
out an advertisement to all the other
VRRP routers.
Internet
Router R
3
It is not necessary for the virtual IP address
to be owned by one of the routing switches
connecting the LAN to the outside world.
The routing switches can back up a
different virtual router's IP address as
well. In this case, however, the process of
deciding which is the master is different.
As mentioned earlier, this process involves
comparing two things. First, the priority;
the higher priority wins. If the priority is
the same, then the higher IP address wins.
In the previous example, we assumed that
the network administrator decided to
configure the IP address of the interface of
routing switch 1 as the virtual router's IP
address. This way, when routing switch 1
looks at the virtual router's IP address, it
realizes that it is the owner of this address,
and declares itself as the master. If neither
of the two own the virtual router's IP
address, then they compare the priorities,
and if the priorities are the same, then the
IP addresses are compared.
Here, you need to stop and analyze what
the VRRP advertisement packet looks like
before proceeding any further.
VRRP packets are sent encapsulated in
the IP packets. Figure 2 shows what the
packet's IP header —combined with the
packet itself — looks like, and what its
components are.
VRRP Packet Format
The important fields in the IP header
(in terms of VRRP) are explained below.
Source IP Address: This is a 32-bit field.
The source address is the primary IP
address of the interface from which the
packet is being sent. This is the IP address
of the master router’s interface connected
to the LAN.
Destination IP Address: This is a 32-bit
field. It is the IP multicast address assigned
by the IANA for VRRP. This multicast
IP address is 224.0.0.18. All the routers
running VRRP receive this multicast.
4 Virtual Router Redundancy Protocol (VRRP) White Paper
Figure 2: Contents of a VRRP Packet.
0 4 8 16
VERS | HLEN | SERVICE TYPE |
IDENTIFICATION
TIME TO LIVE | PROTOCOL
SOURCE IP ADDRESS
DESTINATION IP ADDRESS
IP OPTIONS ONLY
VERS | TYPE | VRID
AUTH TYPE | Advertisement Inter |
IP ADDRESS (1)
:
:
IP ADDRESS (n)
AUTHENTICATION DATA (1)
AUTHENTICATION DATA (2)
Time To Live (TTL): This is an 8-bit field;
the value in this field must be equal to
255. Any VRRP packet received with
TTL not equal to 255 is discarded.
Note: The router does not forward a
datagram with VRRP multicast destination
address, regardless of its TTL.
Protocol: This is an 8-bit field that
specifies the protocol being used. The
IP protocol number assigned by IANA
for VRRP is 112.
The following fields are in the VRRP
packet:
Version (VERS): This is a 4-bit field that
specifies the VRRP version. The version
that is available is 2.
Type: This is a 4-bit field that specifies the
type of VRRP packet. The only type is
ADVERTISEMENT.
Virtual Router Identifier (VRID): Identifies
the virtual router for which this packet is
reporting status.
Priority: This 8-bit field specifies the
sending VRRP router’s priority for the
virtual router. A higher value means a
higher priority. The priority value of the
VRRP router that owns the IP address
associated with the virtual router must be
255. The default priority value is 100, but
you can assign any value between 1 and
254. A priority of 0 is a special value that
18 24 31
TOTAL LENGTH
| FLAGS | FRAGMENT OFFSET
| HEADER CHECKSUM
| PADDING
| PRIORITY | Count IP Addresses
CHECKSUM
specifies the master has stopped working,
and the backup router needs to transition
to master state.
Count IP Address: This 8-bit field specifies
the number of IP addresses contained in
this VRRP advertisement.
Authentication Type: This 8-bit field
specifies the authentication type being
used. The only option available in Passport
routing switches is no authentication.
Advertisement Interval: This 8-bit
field specifies the time interval between
advertisements sent from the master, to
let the backup router know that it is alive.
It is important that all routers with
the same VRID should have the same
advertisement interval.
Checksum: This 16-bit field is used to
detect data corruption in the VRRP message.
IP Address(es): This is a 32-bit field. The
IP address is the virtual router’s IP address
that the master is backing up.
Note: At this point there is only one IP
address per advertisement that the
Passport switch sends out if it has VRRP
activated.
Authentication Data: The authentication
string is not utilized in Passport VRRP
routing, as there is no VRRP authentication
as yet.
The next topic to address is how the
master becomes the master, and under
what conditions a backup routing switch
will take over the role of the master.
Returning to the example, the master
sends out an advertisement with the
destination address as the multicast IP
address, declaring itself the master. As
mentioned earlier, the multicast group has
the IP address 224.0.0.18, and the
Passport routing switches that have VRRP
running will receive this multicast packet.
Passport switches with the same VRID
will accept the packet, and the others will
drop it. The MAC address associated with
224.0.0.18 is 01-00-5e-00-00-12, so all
the packets for multicast IP are sent to
this MAC address.
Once the Passport routing switches
receive this multicast, they will stay in
backup state and monitor advertisements
from the master to ensure that the master
is functioning. The backup routing switch
has Master_Advertisement_Timer, which
starts after it receives an advertisement.
This timer helps the backup routing
switches to calculate if the master has
gone down; if so, it declares itself as the
master. The master, on the other hand,
has its own timer — called
Figure 3: A Configuration with More than One Backup Routing Switch.
Host A Routing Switch 1
200.1.1.1/24
200.1.1.12/24
Master
Host B Routing Switch 2
200.1.1.2
200.1.1.11/24
Backup
Host C Routing Switch 3
200.1.1.13/24 200.1.1.10/24
Backup
Advertisement_Timer — that starts after
the Advertisement is sent out. Once the
timer reaches the Advertisemet_Interval,
it sends another Advertisement. The
Advetisement_Interval is one second by
default, but is configurable. If the backup
Passport routing switches do not receive
the Advertisement before the
Master_Down_Interval times out, it
declares itself to be the master. The
Master_Down_Interval is calculated
as follows:
Master_Down_Interval = (3 *
Advertisement_Interval) + Skew_time
Skew_time = (256 – Priority) / 256
From the above information, you can see
that the master gets three chances to send
an advertisement before the backup takes
over as a master. This means that VRRP
(by default) will converge in 3 seconds.
Following are the three situations where
a backup router takes over as master:
Case 1: The master goes down due to a
problem. The main thing to realize here
is that the master routing switch interface
just dies. In a case like this, the backup
routing switches will wait until the
Master_Down_Timer times out, and
then will take over as the master.
Internet
Router R
Virtual Router Redundancy Protocol (VRRP) White Paper
Relating this case to the original example,
let us assume that RS1 goes down for
some reason. The Advertisement_Interval
is set to 3 seconds. How long will it take
for RS2 to takeover as the master? This
can be determined from the formula:
Master_Down_Interval = ( 3 *
Advertisement_Interval ) + Skew_time
Skew_time = (256 – Priority) / 256
So the skew time is:
Skew_time = (256-100) / 256 = 156/256
Master_Down_Interval = ( 3 * 3) + 156/256 =
(9 + 156/256)s
The backup will give the master little
more than 9 seconds, which gives
the master three chances to send an
advertisement, before it takes over. After
(9 + 156/256) seconds, RS2 declares itself
to be the master.
Case 2: This is a situation where the
network manager either shuts down the
interface connecting to the LAN, or turns
off VRRP on the master routing switch.
In a case like this, the master sends out
an advertisement with priority equal to 0.
This is a message for the backup routing
switches — one needs to take up the role
of the master, and not wait until the
Master_Down_Timer times out.
In this case, VRRP is turned off on RS1.
Therefore, RS1 sends an advertisement
to the multicast address with the priority
equal to 0. This informs the backup
routing switches that the master has gone
down, and one of the backup RS needs to
take over as the master. In this example,
it would be RS2 that becomes the new
master, and sends out an advertisement
to the multicast address declaring itself
as the master.
Now, consider a slightly different
scenario. What if there is more than one
backup routing switch? See Figure 3.
5
In this case, there are two backup Passport Figure 4: The Connections between the Routers are Not the
routing switches, with IP addresses Only Critical Connections.
200.1.1.2/24 and 200.1.1.10/24. The
master determination (when the original
master is alive) is done in the same way as
mentioned earlier. The difference is that Routing Switch 1
Host A
200.1.1.1/24 206.1.1.1/24
now there are two backup routers, RS2 200.1.1.12/24
Master Critical IP
Address
and RS3. When the master routing switch
RS1 goes down, the Master_Down_ Internet
Timers of the backup routing switches
Router R
Host B
time out, and they declare themselves 200.1.1.11/24

as master. Both RS2 and RS3 send out

advertisements to the multicast address
assuming that they are the masters. But Routing Switch 2 Routing Switch 3
Host C
200.1.1.2/24
there can be only one master. 200.1.1.13/24
Backup

To determine who will be the master,

both Passport routing switches compare
their priorities; the routing switch with
the higher priority becomes master. If the
priorities are the same, then the higher IP
address (RS3 in this case) becomes the
master routing switch. Because the IP
addresses have to be different, there
cannot be a problem in determining the
master; one IP address is going to be
greater than the other.
If the original master routing switch —
RS1 — comes up again, it sends out an
advertisement with priority equal to 255.
When the virtual master routing switch
looks at this advertisement, it compares
the priority with its own. Since its own
priority is lower then 255, it goes back to
the backup state. In this example, RS1’s
priority takes precedence over RS3’s priority;
RS3 thus goes back to the backup state.
Case 3: There can be another case where
the connection between the host and the
first hop router may be good, but that
might not be the only critical connection
between the two networks. For instance,
it is possible that the connection between
the first hop and the second hop is also
very important. If that connection goes
down, the master routing switch is not
able to perform its function properly. In a
case like this, the IP address of the interface
that connects the first hop to the second
hop is called the critical IP address. If the
critical IP address goes down, it does not
effect the connection between the hosts,
and the master and the hosts keep on
forwarding traffic to this particular routing
switch (as it is the master). This adds an
extra hop between the source and the
destination because the master forwards
the traffic to the backup routing switch
that has a route to the destination. In a
case like this, you can configure the
VRRP RS with the critical IP address that
tells the VRRP router to give up its master
status if the interface that owns the critical
IP address goes down (see Figure 4).
In this example, assume that the master is
RS1. RS1 connects to R, and R forwards
the traffic to the Internet. If the connection
between RS1 and R is lost, the hosts on
network 200.1.1.0/24 will lose the route
to the Internet through RS1. RS1 sends
the traffic to RS2, as that is the other
route RS1 has in its routing table. This
adds an extra hop for the traffic going to
the Internet, as the traffic first goes to RS1
and then to RS2. The way around this is
to define a critical IP address on the
VRRP routers (206.1.1.1/24 in this case);
if that IP address goes down, the master
routing switch steps down from its position.
It declares that another routing switch
needs to take up the role of the master by
sending out an advertisement with the
priority equal to 0.
In this case, you can see that the backup
routing switch becomes the master
routing switch. If the master does not
own the virtual router's IP address, then
the advertisements it sends out has its
original priority (and not 255). This way,
when the original master comes back up,
it — assuming it was the owner of the
virtual router IP address — sends out an
advertisement with a priority of 255.
When the acting or virtual master receives
this high priority advertisement it goes
back to the backup state. When routing
switch A’s critical connection comes
up again, routing switch B reverts to
backup mode.

6 Virtual Router Redundancy Protocol (VRRP) White Paper

From the Perspective address to the default gateway whose IP Load Sharing
address is 200.1.1.1/24. In return, RS1 Referring to Figure 1 in our initial
of the Host
replies with the virtual router's MAC example, the master is the one that is
All the decisions regarding who is going
address (which is 00-00-5E-00-01- forwarding all the traffic. The other
to be the master for a particular LAN are
<VRID>). Then, the host sends the routing switch is just sitting there as a
made on the routing switches. The host is
packets to this MAC address. This is how backup. To utilize the bandwidth efficiently,
oblivious to the whole process. When a
the message is routed out of the LAN. we can create two different VRIDs, such
host must send a message to some host on
a different LAN connected by the VRRP If RS1 goes down, and RS2 takes over that half of the traffic goes through RS1
routers, it sends an ARP request for the as the virtual master, all forwarding and the other half goes through RS2.
MAC address of the default gateway. and ARP tasks are performed by RS2. To do this, we configure RS1 to be the
Therefore, when host A sends an ARP for default gateway for a certain number of
Normally, when a host “ARPs for”
the MAC address to the default gateway, hosts, and RS2 for the rest of them.
(resolves) the MAC address, the routing
RS2 replies to that with the virtual In Figure 6 (page 8), RS1 is the default
switch replies with its own physical
router's MAC address (00-00-5E-00-01- gateway for the three hosts at the top,
address. But when VRRP is deployed, the
<VRID>). Another scenario is that the and RS2 is the default gateway for the
master replies with a virtual MAC address
host already had an ARP table and knows three hosts at the bottom. There are two
instead of its actual MAC address. The
that if it needs to send any information to VRIDs: 1 and 2. RS1 (with VRID 1)
benefit of this virtual MAC address is that
the 200.1.1.1/24 IP address (which is its is the master for host A, B and C, and
when the master goes down and a backup
default gateway), it will send it to the 00- backup for the hosts D, E and F. On the
routing switch becomes the master, it
00-5E-00-01-<VRID> MAC address. So, other hand, RS2 (with VRID 2) is the
does not make any difference to the host
it sends it to the virtual router's MAC master for the hosts D, E and F, and the
because it uses the same MAC address.
address, and the information flows via backup for A, B and C. This way, the traffic
The virtual MAC address belongs to the
RS2 instead of RS1. For the host, it is all going out of the LAN 200.1.1.0/24 is
virtual IP address, which belongs to the
the same. But if the routing switches were shared between the two routing switches,
master for that VRID.
to reply to ARPs with their physical thus efficiently utilizing the routing
For instance, see Figure 5. Host A wants addresses, then the situation would be switches and bandwidth.
to send a message to Host D. In this case, totally different.
RS1 is acting as the master, and RS2 is the
backup. Host A will ARP for the MAC

Figure 5: The Benefits of Using a Virtual MAC Address.

Host A Host D
200.1.1.12/24

Routing Switch 1
200.1.1.1/24
Master

Router R
Host B
200.1.1.11/24

Routing Switch 2
200.1.1.2/24
Backup

Host C
200.1.1.10/24

Virtual Router Redundancy Protocol (VRRP) White Paper 7

Critical IP address When one host sends an ARP for the IP Initialize: When VRRP is enabled, the

Depending on your topology, you can
also define a critical IP address in the
configuration of the VRRP router. The
critical IP address is the address of an
interface link that affects the performance
of the master routing switch, if this link
goes down. If the interface that owns the
critical IP address goes down, the routing
switch steps down from being the master,
and sends out an advertisement with
priority equal to 0. If we do not define the
critical IP address, the master remains as
master, and (depending on the topology)
that might not be the best path anymore.
This is explained in an example related to
Figure 6.
You can also define critical IP addresses
on the backup routing switches. In case
the master goes down, one of the backup
routing switches takes its place. If the
critical IP address of the backup is down,
it does not declare itself as the master.
You can only define one critical IP address
on one Passport routing switch.
How Proxy ARP
Works with VRRP
a Passport routing switch running
proxy ARP allows the hosts on different
networks to communicate with each other
as if they were on the same network. The
address owned by a host that belongs to a
subnet on the other side of the routing
switch, the routing switch replies with its
own interface MAC address. It then for-
wards the packet to the destination host.
With VRRP enabled, when the master
receives an ARP request, it replies with the
virtual router's MAC address and not the
actual physical address; thus, when the
responsibilities of master are switched to a
different routing switch, the MAC address
is the same.
A Brief Description
of the Different Stages
of VRRP Routers
With the understanding of how VRRP
works, we can summarize the different
stages through which a VRRP router goes.
There are three different stages a VRRP
router goes through:
• Initialize
• Backup
• Master
Figure 6: R1 is the Gateway for Hosts A – C, and R2 is the Gateway
for Hosts D – F.
Host A
first stage the routing switch goes through
is the initialization stage. This involves the
following steps:
The routing switch looks at the virtual
IP address and determines if it is the
master. If it owns that address, it realizes
it is the master, and that its priority is
equal to 255.
If P is equal to 255, then the VRRP
router:
• Sends an ADVERTISEMENT
declaring itself as the master
• Broadcasts a gratuitous ARP with
the virtual router MAC address
(00-00-5E-00-01-<VRID>) to all the
IP addresses associated to the virtual
router's IP address
• Starts the advertisement timer
• Transitions to a master state
If the priority is between 0 and 255,
then the VRRP router:
• Starts the Master_Down_Timer
• Transitions to a backup state

routing switch or gateway keeps routing

tables with information on the subnets on
both sides. Host B
Routing Switch 1
200.1.1.1/24
Master – VRID 1
Backup – VRID 2

Host C
Default gateway
on network Internet
is 200.1.1.1/24
Router R

Host D

Routing Switch 2
200.1.1.2/24
Backup – VRID 1
Master – VRID 2
Host E

Host F
Default gateway
on network
is 200.1.1.2/24

8 Virtual Router Redundancy Protocol (VRRP) White Paper

The Backup State
In the backup state, the VRRP router
monitors the master routing switch to
confirm that it is alive. While it does that,
it has the following responsibilities:
• Must not respond to ARP requests or
accept packets for the IP address(s)
associated with the virtual router
• Must discard packets destined for the
virtual router's MAC address
• Start the Master_Down_Timer and set
the Master_Down_Interval
If an advertisement is received that has P
equal to 0, or if the
Master_Down_Interval times out, then
the VRRP router:
• Sends an advertisement declaring itself
as the master
• Broadcasts a gratuitous ARP with the
virtual router's MAC address (00-00-
5E-00-01-<VRID>) to all the IP
addresses associated with the virtual
router's IP
• Starts the advertisement timer
• Transitions to master state
If an advertisement is received that has a
higher priority, or a higher IP address (if
the priority is the same), then the VRRP
router goes back to the backup state.
If an advertisement is received that has a
lower priority or lower IP address if the
priority is the same then the VRRP router
discards the advertisement and stays in
the master state.
The Master State
In the master state, the VRRP router must:
• Respond to ARP requests, or accept
packets for the IP address or addresses
associated with the virtual router
• Not accept packets addressed to the
IP address associated with the virtual
router if it is not the owner of the
IP address
• Forward packets destined for the
virtual router's MAC address
If a shut down event is received, then the
VRRP router sends out an advertisement
with 0 priority.
If an advertisement with a greater priority
or higher IP address (if the priority is the
same) is received by the virtual master, it
goes through the following process.
• Transition to backup state
• Cancel advertisement timer
• Start the Master_Down_Timer
If an advertisement is received with the
priority lower than local priority, or with a
lower IP address if the priority is the same
then the VRRP router discards the adver-
tisement.
Configuring
VRRP on Passport
Following are the command line interface
(CLI) commands you useto configure
VRRP:
ethernet <ports> ip vrrp <vrid> address
<ipaddr>
ethernet <ports> ip vrrp <vrid> adver-int
<seconds>
ethernet <ports> ip vrrp <vrid> critical-ip
<ipaddr>
ethernet <ports> ip vrrp <vrid> delete
ethernet <ports> ip vrrp <vrid> disable
ethernet <ports> ip vrrp <vrid> enable
ethernet <ports> ip vrrp <vrid> priority
<prio>
First, to get into the configuration
context, type the following command:
# config
Virtual Router Redundancy Protocol (VRRP) White Paper
After you are in the configuration context,
you can configure any isolated routing
switch port for VRRP. As a network
administrator, you need to decide what
VRID to assign to the interfaces of the
VRRP router.
By default, the advertisement interval
is one second, but you can configure it
differently if you want. The important
thing is that the advertisement interval
for all the routing switches should be the
same on the same VRID. If it is different,
then it could cause disruptions in the
network, which could cause problems.
For example, assume routing switch 1 is
the master and routing switch 2 is the
backup. Assume the
Advertisement_Interval on routing switch
1 is 10s and on routing switch 2 is 1s.
Since routing switch 1’s
Advertisement_Interval is 10s, it will
send an advertisement after 10s. But as
routing switch 2 and routing switch 3’s
Advertisement_Interval is 1s, after
(3S+Skew_Time) it declares itself as a
master and sends an advertisement out.
Routing switch 1 discards the advertisement,
as it has the higher priority. We now have
two virtual routers, and duplication
might occur. When routing switch 1
sends out its advertisement after 10s,
routing switch 2 steps down, as 1 has a
higher priority. But the whole process
starts again after (3S+Skew_Time) seconds.
Therefore, it is important to configure
that same advertisement_interval on all
the VRRP routers with the same VRID.
9
The priority is another parameter you can
define; it is set to 100 by default. If you
configure it differently, then you can
decide who will be the next master if the
master goes down. As mentioned earlier,
priority is the first thing the backup
routing switches compare, to determine
the master. The one with the higher
priority becomes the master.
You also need to enable VRRP by using
the enable command:
ethernet <ports> ip vrrp <vrid> enable
You can disable VRRP by using the dis-
able command.
ethernet <ports> ip vrrp <vrid> disable
To understand how to configure VRRP
on a Passport routing switch, consider the
following example. This example looks at
how to configure the Passport routing
switches for VRRP. One thing to under-
stand about the example is that the goal is
to inform you of how you can configure
the Passport routing switch for VRRP
routing, not how you should, as that
depends on a number of factors.
In this example (see Figure 7), there
are two networks: 205.1.1.0/24 and
207.1.1.0/24. To keep things simple,
assume that all the routing switches in
the topology have the same kind of links.
To send a message from network
205.1.1.0/24 to 207.1.1.0/24, the best
route seems to be through RS1, as the
two LANs are two hops away. In case RS1
goes down, the next best route would be
through RS2, as the LANs are three hops
away. The network administrator wants to
have RS1 as the master. Also, the critical
IP address for RS1 is the interface
connecting RS1 to R, because if that goes
down, the master is not able to perform
its responsibilities.
The configuration for RS1 is as follows,
assuming that the Ethernet interface that
is being configured for VRRP is 1/1:
ethernet 1/1 ip vrrp 1 address 205.1.1.1/24
ethernet 1/1 ip vrrp 1 adver-int 3
ethernet 1/1 ip vrrp 1 critical-ip 201.1.1.1/24
ethernet 1/1 ip vrrp 1 enable
The configuration for RS1 shows that the
virtual router's IP address is 205.1.1.1/24,
and the advertisements should be 3 seconds
apart. If the interface that owns IP address
201.1.1.1/24 goes down, then RS1 is no
longer the master routing switch, and one
of the backup routing switches takes the
responsibility of being the master. It is not
important to define the priority here,
because RS1 is going to be the master, as
it owns the virtual router's IP address.
Therefore, it will automatically get the
priority value of 255. Priority could prove
important for the backup routers.

Figure 7: Example of Setting up Passport Routing Switches The configuration for RS2 is as follows,
for VRRP Routing. assuming that the Ethernet interface that
is being configured for VRRP is 2/3:
ethernet 2/3 ip vrrp 1 address 205.1.1.1/24

ethernet 2/3 ip vrrp 1 adver-int 3

Routing Switch 1 ethernet 2/3 ip vrrp 1 enable

Host A
205.1.1.1/24 201.1.1.1/24
Master Critical IP Address
ethernet 2/3 ip vrrp 1 priority 250

RS2 goes into backup mode, and starts

Internet
the Advertisement_Down_Timer after
Routing Routing Router R
Host B
Switch 2 Switch 4 207.1.1.1/24 the initialization mode, because it does
205.1.1.2/24
Backup not own the virtual router's IP address.
It is a backup for the virtual router's
IP address, 205.1.1.1/24. The
Host C Routing Routing
Switch 3 Switch 5 Advertisement_Interval is the same as
205.1.1.3/24
Backup RS1. It is very important that it matches
the advertisement_interval for reasons
mentioned earlier. The priority is 250.
The goal here is that the priority of RS2
should be higher than RS3, so that if RS1
goes down, RS2 takes over as the master.
There is no critical IP address defined
here, because there are two routing

10 Virtual Router Redundancy Protocol (VRRP) White Paper

switches that can take traffic from RS2 to
R. If the one preferred out of the two goes
down, routing can still be done through
the other one.
The configuration for RS3 is as follows,
assuming that the ethernet interface that
is being configured for VRRP is 1/3:
ethernet 1/3 ip vrrp 1 address 205.1.1.1/24
ethernet 1/3 ip vrrp 1 adver-int 3
ethernet 1/3 ip vrrp 1 enable
ethernet 1/3 ip vrrp 1 priority 210
ethernet 1/1 ip vrrp 1 critical-ip 209.1.1.1/24
Here, we should notice that the priority of
this interface is lower than the priority of
RS2. Therefore, if RS1 goes down, RS2 is
the new master. If we had left the priority
configuration set to the default (which
is 100), then the new master would be
RS3, because the IP address of the VRRP
interface for VRID 1 of RS3 is greater
than the IP address of the VRRP interface
for VRID 1 of RS2. We have also defined
a critical IP address of 209.1.1.1/24. If
this interface is down, RS3 does not
declare itself as a master.
Summary
This paper examined what VRRP is and
how it works. It is a protocol that provides
backup for routing switches connecting
a LAN to the outside world (assuming
there is more than one routing switch
working in the same context). One
routing switch becomes the master and
the rest act as backups. The process of References
deciding who will be the master involves 1. RFC 2338
three stages – initialize, backup and master.
2. Internetworking with TCP/IP Vol. 1;
In the initialize stage, VRRP routers
Douglas E. Comer, 3rd Edition
compare the virtual router's IP address to
their interface's IP addresses. If one of
them owns the virtual router's IP address,
Acronym Glossary
ARP Address Resolution Protocol
it declares itself to be the master and
CLI Command Line Interface
assumes a priority of 255. After the rest
IANA Internet Assigned Number
of the routing switches receive this
Authority
advertisement, they go in the backup IP Internet Protocol
state and start the Advertisement_ LAN Local Area Network
Down_Timer. If no one owns the virtual MAC Media Access Control
router's IP address, then they all go into TTL Time to Live
the second stage (which is the backup VERS Version
stage), and start the Advertisement_ VRID Virtual Router Identifier
Down_Timer. If the timer times out, all VRRP Virtual Router Redundancy
of them declare themselves as the master, Protocol
and send advertisements with their priority
(priority 255 is only used by the router
who owns the virtual IP address). If there
is more than one backup routing switch,
they receive advertisements from each
other, and compare with their own
information. The routing switch with
the highest priority becomes the master,
and the rest step down and go back to
the backup stage. If the priorities are the
same, then the owner of the highest IP
address wins. If the owner of the address
comes up, it sends out an advertisement
with priority = 255. The virtual master
steps down, and the owner of the address
becomes master.
To route traffic through the master, the
hosts ARP for the MAC address of their
default gateway, which is also the virtual
router's IP address. The virtual master
replies with the virtual MAC address,
instead of its own physical address. This
way, when the original master goes down,
the new master routing switch becomes
the owner of the virtual MAC address.
Thus, the host can still send traffic to the
virtual router's MAC address and no
change has to be made on the host.
Virtual Router Redundancy Protocol (VRRP) White Paper 11
For more sales and product information, please call 1-800-822-9638.

United States Asia Pacific

Nortel Networks Nortel Networks
4401 Great America Parkway 151 Lorong Chuan
Santa Clara, CA 95054 #02-01 New Tech Park
1-800-822-9638 Singapore 556741
Canada 65-287-2877
Nortel Networks Caribbean and Latin America
8200 Dixie Road Nortel Networks
Brampton, Ontario 1500 Concord Terrace
L6T 5P6, Canada Sunrise, Florida
1-800-466-7835 33323-2815 U.S.A.
Europe, Middle East, and Africa 954-851-8000
Nortel Networks
Les Cyclades - Immeuble Naxos
25 Allée Pierre Ziller
06560 Valbonne France
33-4-92-96-69-66

http:// www.nortelnetworks.com
*Nortel Networks, the Nortel Networks logo, the Globemark, How the World Shares Ideas, Unified Networks,
and Passport are trademarks of Nortel Networks. All other trademarks are the property of their owners.
© 2000 Nortel Networks. All rights reserved. Information in this document is subject to change without notice.
Nortel Networks assumes no responsibility for any errors that may appear in this document. Printed in USA.

WP3340-B / 04-00