cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1196
Views
4
Helpful
14
Replies

static routing towards VRRP

Ab26
Level 1
Level 1

Hi, I have set up where I'm using static routing towards a VRRP IP address. Everything is working fine. My question is what will happen when these 2 VRRP routers fall out of sync (the link between them goes down). Will the static routing fails?

Ab26_0-1725197547633.png

All routers share the same subnet
R1: 10.10.10.2
R2: 10.10.10.3
CE: 10.10.10.4

Now if the link between R1 and R2 is lost => then each router (R1 and R2) will consider itself as the VRRP primary. Unless the VRRP messages go over the CE router, the CE router is a firewall and it's doesn't allow any traffic to pass by. Would the traffic on the static routing goes to both routers (R1 and R2)? Isn't that a traffic replication? 

1 Accepted Solution

Accepted Solutions

Hello @Ab26 ,

you need a L2 switch to provide a common broadcast domain to the CE router and to the router R1 and R2 that implement the VRRP VIP address and group.

The router with active or master role is the one that will reply to ARP requests made for the VRRP VIP address 10.10.10.1.

if you have this scenario with the L2 switch every single failure event at link or node level of R1 and R2 is covered.

If R1 is the VRRP active and then its LAN interface fails , R2 will take over and it will :

a) send a gratuitous ARP with source MAC address = VIP MAC address so that L2 switch can update its CAM table

b) it starts to send VRRP hellos stating it is the active router.

VRRP has preemption active by default so when R1 LAN interface is again active it will resume active role performing the same two actions described above:

a) send a gratuitous ARP with source MAC address = VIP MAC address so that L2 switch can update its CAM table

b) it starts to send VRRP hellos stating it is the active router.

Finally , if you use only routers you need to use bridge domains , IRB and L3 interfaces will be the BDI  interface associated to the bridge domain. In this case if R1-R2 direct link fails , R2 can still hear the VRRP multicast hellos sourced by R1 BDI interface via the CE interfaces because also the CE router needs to use a bridge group and BVI to be able to build a working topology.

In older IOS versions IRB use bridge groups and BVI interfaces , in modern IOS XE BDI logical interfaces provide L3 routing services to the associated bridge domain.

old classic IRB with bridge groups and BVIs

https://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-bridging-irb/17054-741-10.html?dtid=osscdc000283

modern IRB with bridge domains and BDI interfaces in IOS XE

https://www.cisco.com/c/en/us/td/docs/routers/access/isr4400/software/configuration/xe-17/isr4400-sw-config-xe-17/bdi_isr4k.html?dtid=osscdc000283

 

 

VRRP configuration :

https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/ntw-servs/b-network-services/m_fhp-vrrp-0.html?dtid=osscdc000283

Hope to help

Giuseppe

 

View solution in original post

14 Replies 14

Sorry I dont have time 

Maybe other VIP can help you

MHM

They are on the same subnet. 

R1: 10.10.10.2
R2: 10.10.10.3
CE: 10.10.10.4

"They are on the same subnet."

Exactly how, as you show 6 interfaces?

 

Hello @Ab26 ,

you need a L2 switch to provide a common broadcast domain to the CE router and to the router R1 and R2 that implement the VRRP VIP address and group.

The router with active or master role is the one that will reply to ARP requests made for the VRRP VIP address 10.10.10.1.

if you have this scenario with the L2 switch every single failure event at link or node level of R1 and R2 is covered.

If R1 is the VRRP active and then its LAN interface fails , R2 will take over and it will :

a) send a gratuitous ARP with source MAC address = VIP MAC address so that L2 switch can update its CAM table

b) it starts to send VRRP hellos stating it is the active router.

VRRP has preemption active by default so when R1 LAN interface is again active it will resume active role performing the same two actions described above:

a) send a gratuitous ARP with source MAC address = VIP MAC address so that L2 switch can update its CAM table

b) it starts to send VRRP hellos stating it is the active router.

Finally , if you use only routers you need to use bridge domains , IRB and L3 interfaces will be the BDI  interface associated to the bridge domain. In this case if R1-R2 direct link fails , R2 can still hear the VRRP multicast hellos sourced by R1 BDI interface via the CE interfaces because also the CE router needs to use a bridge group and BVI to be able to build a working topology.

In older IOS versions IRB use bridge groups and BVI interfaces , in modern IOS XE BDI logical interfaces provide L3 routing services to the associated bridge domain.

old classic IRB with bridge groups and BVIs

https://www.cisco.com/c/en/us/support/docs/lan-switching/integrated-routing-bridging-irb/17054-741-10.html?dtid=osscdc000283

modern IRB with bridge domains and BDI interfaces in IOS XE

https://www.cisco.com/c/en/us/td/docs/routers/access/isr4400/software/configuration/xe-17/isr4400-sw-config-xe-17/bdi_isr4k.html?dtid=osscdc000283

 

 

VRRP configuration :

https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/ntw-servs/b-network-services/m_fhp-vrrp-0.html?dtid=osscdc000283

Hope to help

Giuseppe

 

Thanks @Giuseppe Larosa 

On R1 and R2 BDI interfaces are used. R1 and R2 are directly connected to each ether and the same bridge ID is allowed on this direct link. R1 is connected to to CE which is a firewall, and I don't have access to. My concerns was about the L2 management protocols is they always allowed on a firewall VLAN interface (spanning-tree, VRRP, etc) or an explicit permit policy has to be implemented. R1 is connected to CE via a L2 switch X. R2 is connected to  to CE via a another L2 switch Y. I don't have access to either of these switches. 

I dont have problem with IRB or VRRP configuration. But thanks for links sharing

Hello @Ab26 ,

just to understand also R1's link to L2 switch X is in the same bridge domain as the R1-R2 direct link ?

And the same happens for R2's link to switch Y ?

I would implement a link between switch X and switch Y, with a L2 link between them what the FW does on its interfaces becomes less important.

However, if the FW blocks STP BPDUs to flow between its two interfaces to switch X and to switch Y this can create issues.

Check what you see on Switch X and Swich Y including what MAC addresses are learned on each interface.

if the FW is actually a FW HA pair , only one link is active and it is the only one where a MAC address is learned.

Hope to help

Giuseppe

 

It's correct as you wrote, all interfaces are in the same VLAN (or bridge-domain), say VLAN 10.

The L2 switches should be connected to each other, but unfortunately I don't have access them nor the FW and the customer won't share their internal set up 

Hello @Ab26 ,

provide an advice to the customer that a link between Switch X and Switch Y is highly recommended in order to make VRRP communications not depending on FW settings either default settings or explicit config.

Ask them also if the FW is actually an HA pair or a form of cluster ( active/active) because this is important info to take in account.

Hope to help

Giuseppe

 

@Giuseppe Larosa has twice recommended a L2 link between switches X and Y (for other readers, those switchrs aren't shown on OP diagram), which will insure you have L2 path redundancy (allowing VRRP to operate correctly).  However, for optimal operation, you'll want to logically block a specific L2 link to preclude traffic needing to transit that link or network devices.  For example if R1 is the active gateway, do you want traffic to transit R2?

Thanks @Joseph W. Doherty! I work for a service provider and the network is way more complicated than what I've shared here. I try not to over complicate things when I write a post here in Cisco Community. Instead, I try to ask specific questions that I've concern about. But I understand that this platform should be useful for anyone who has a similar problem.

In my case, yes I want R1 to remain the active GW and it's OK that the traffic passes from R2 to R1 as this is by design to our core network. Everything on the CE side I don't have access to, I can only provide recommendations to our customer and if something won't work, then I have to tell them in advance 

Unclear what your CE/FW is doing at L2.

Given what you posted, and assuming R1<>R2 is good, what happens if either CE<>R1 or CE<>R2 is broken?

Good question, however these links are out of my responsibly. I assume that the FW is set up as HA with L2 connection to 2 switches and then to R1 and R2. If the link between CE to R1 fails the traffic will go to R2 then to R1 as R1 will remain the primary VRRP in this case.


@Ab26 wrote:

Good question, however these links are out of my responsibly. I assume that the FW is set up as HA with L2 connection to 2 switches and then to R1 and R2. If the link between CE to R1 fails the traffic will go to R2 then to R1 as R1 will remain the primary VRRP in this case.


Well, as you don't know the expected behavior for losing CE connection is, cannot really say what the expected behavior will be for losing the router to router link.

Again, normally what you showed is a triangle L2 loop, and for it to function correctly, one of the links needs to be either physically or logically down.  The router to router link being physically or logically down would meet that requirement, but for correct operation the two CE connected links would need to provide L2 between the two routers.

Joseph W. Doherty
Hall of Fame
Hall of Fame

For your topology to not loop at L2, one or the three links would need to be logically blocked.  If R1<>R2 link is lost, it should take the role of the necessary blocked link.

Review Cisco Networking for a $25 gift card