Understanding VRRP: Virtual Router Redundancy Protocol (With an Example)

By January 28, 2020 February 14th, 2020 Blog, Networking
segment network security

VRRP (Virtual Router Redundancy Protocol) is a First Hop Redundancy Protocol (yes they give this an acronym of FHRP). FHRPs are designed to allow for a highly available gateway (or first hop) for hosts and systems. FHRPs allow for multiple distinct routers to share a common gateway IP address using a shared Media Access Control (MAC) address. This is done to increase the availability and reliability of the gateway address.

All VRRP routers will share the MAC address of the virtual IP address. This is important because by default, the Window OS(s) has an ARP table timeout of 10 minutes. This can be changed by a registry hack on ArpCacheLife (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters). So typically if a gateway failed, it would take 10 minutes before the Windows servers would send an ARP request for a MAC address of the gateway IP address.

VRPP sets up the MAC address of the assigned IP address off the group number set up in the configuration. So for example, I set up a router with two interfaces on two separate interfaces group number 1 and 15.

Sample VRRP Configuration:

interface FastEthernet0/0
ip address 10.223.4.2 255.255.255.0
duplex auto
speed auto
vrrp 1 ip 10.223.4.1
!
interface FastEthernet0/1
ip address 172.24.132.5 255.255.248.0
load-interval 30
duplex auto
speed auto
vrrp 15 ip 172.24.132.1
!

Now I run a “show vrrp” on the router:

FastEthernet0/0 – Group 1
Virtual IP address is 10.223.4.1
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100FastEthernet0/1 – Group 15
Virtual IP address is 172.24.132.1
Virtual MAC address is 0000.5e00.010f
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100

So from this, we see the VRRP group 1 with a virtual MAC address of 0000.5e00.0101 and VRRP group 15 with a virtual MAC address of 0000.5e00.010f. This shows us that the device is using the base MAC of 0000.5e00.0100 + the Group ID.

So the active responder is the master in the case of VRRP. It will respond “pickup” traffic addressed to the virtual MAC address and forward it along. Note the backup router(s) will also “pickup” the traffic addressed to the virtual address, but they will not forward it along. The master will forward out VRRP advertisements (multicast packets to the IP 224.0.0.18) at the rate of the advertisement interval. As it can be seen above, this is 1 second by default. The hold down timer is three (3) times the advertisement interval. So by default a failed router will have traffic restored in 3 seconds instead of 10 minutes.

Jason Howe, PEI

Leave a Reply