Interoperation and Replacement Guide for VRRP and HSRP

Hello everyone,

Now I’d like to share with you interoperation and replacement guide for VRRP and HSRP.

Overview of VRRP

Overview of HSRP

Comparison Between HSRP and VRRP

VRRP and HSRP Interworking Analysis

VRRP and HSRP Replacement Solution

Overview of VRRP

Background

As networks rapidly develop and applications become more diversified, various value-added services (VASs) such as Internet Protocol television (IPTV) and video conferencing have become increasingly widespread. However, to ensure these services are not affected by network disconnections, users require a more reliable network infrastructure.

Generally, all hosts on one network segment are configured with the same default route, which has the gateway address as the next hop address. The hosts use the default route to send packets to the gateway, which forwards the packets to other network segments. When the gateway fails, all hosts on this network segment cannot communicate with external networks. A common method to improve network reliability is to configure multiple egress gateways. However, route selection between the gateways becomes an issue.

VRRP resolves this issue by virtualizing multiple routing devices into a virtual router without changing the networking. The virtual router IP address is configured as the default gateway address. When the gateway fails, VRRP selects a new gateway to transmit service traffic to ensure reliable communication.

VRRP Principle

VRRP is a fault-tolerant protocol. It integrates multiple devices into a virtual router and uses certain mechanisms to switch services to other devices when the next-hop device fails, ensuring continuous and reliable communication.

Two or more VRRP-enabled devices form a VRRP group, which functions as a virtual router.

VRRP determines the virtual router master based on the priority of each device. You can manually configure the priority of a device in the VRRP group.

VRRP determines the device role in the virtual router based on device priorities. The device with a higher priority is more likely to become the master. The VRRP-enabled device in a VRRP group initially works in Initialize state. After receiving an interface Up message, the VRRP-enabled device with priority 255 directly becomes the master. The VRRP-enabled device with the priority less than 255 switches to the Backup state, and then reverts to the Master state after the Master_Down_Interval timer expires. The device that first switches to the Master state obtains the priorities of other devices in the group by exchanging VRRP Advertisement packets.

As shown in Figure 2-96, HostA is dual-homed to SwitchA and SwitchB through the switch. SwitchA and SwitchB constitute a VRRP group to implement link redundancy.Figure 2-96  Working mechanism of VRRP 

Basic Concepts

• VRRP router: device running VRRP. It may belong to one or more virtual routers. SwitchA and SwitchB are VRRP routers.

• Virtual router: VRRP group consisting of one master and multiple backups. The VRRP group's virtual IP address is used as the default gateway address on a LAN. SwitchA and SwitchB combine to form a virtual router.

• Virtual router master: VRRP device that forwards packets. SwitchA is the virtual router master.

• Virtual router backup: a group of VRRP devices that do not forward packets. When the master is faulty, a backup with the highest priority becomes the master. SwitchB is the virtual router backup.

• VRID: virtual router ID. The VRID of the virtual router composed of SwitchA and SwitchB is 1.

• Virtual IP address: IP address of a virtual router. A virtual router can be assigned one or more virtual IP addresses that are configurable. The virtual IP address of the virtual router composed of SwitchA and SwitchB is 10.1.1.10/24.

• IP address owner: VRRP device that uses an IP address of a virtual router as the actual interface address. If an IP address owner is available, it usually functions as the virtual router master. The interface address of SwitchA and the IP address of the virtual router are both 10.1.1.10/24, making SwitchA the IP address owner.

• Virtual MAC address: MAC address that is generated by the virtual router based on the VRID. A virtual router has one virtual MAC address and is in the format of 00-00-5E-00-01-{VRID} (VRRP for IPv4). The virtual router sends ARP Reply packets carrying the virtual MAC address but not the interface MAC address. The VRID of the virtual router composed of SwitchA and SwitchB is 1, so the MAC address of the VRRP group is 00-00-5E-00-01-01.

VRRP State Machine

VRRP defines three states: Initialize, Master, and Backup. Only the device in Master state can forward packets destined for the virtual IP address.

Table 2-116  VRRP states

VRRP Working Process

The VRRP working process is as follows:

1. Devices in a VRRP group select the master based on their priorities. The master sends gratuitous ARP packets to notify the connected network devices or hosts of the virtual MAC address of the VRRP group.

2. The master periodically sends VRRP Advertisement packets to all backups in the VRRP group to advertise its configuration (for example, priority) and running status.

3. If the master fails, the backup with the highest priority becomes the new master.

4. If the original master is replaced by another device in the group, the new master sends gratuitous ARP packets carrying the virtual MAC address and virtual IP address of the virtual router. The new master uses these packets to update the MAC address entry on the connected network devices or hosts. User traffic is then switched to the new master. This process is transparent to users.

5. When the original master recovers and is the IP address owner (with priority 255), the original master reverts to the Master state. If the priority of the original master is smaller than 255, the device switches to the Backup state. The priority of the device is then restored to its original value before the failure.

6. If the backup has a higher priority than the master, the working mode of the backup (preemption or non-preemption) determines whether the master is re-selected.

• Preemption mode: If the priority of a backup is higher than the priority of the current master, the backup automatically becomes the master.

• Non-preemption mode: As long as the master is working properly, the backup with a higher priority cannot become the master.

Overview of HSRP

Background

As the Internet gains in popularity, people rely more and more on networks. To improve network stability, the device backup is used, which is similar to dual hard disks in a server to improve data security. Devices at the network core layer are central to the entire network. If a critical fault occurs on the core devices, the local network breaks down. If the backbone router becomes faulty, the impact will be significant. Therefore, it is inevitable that core devices work in hot standby mode to improve network reliability. When a core device fails, the backup device in the system will take over it until the faulty device is restored. The Hot Standby Router Protocol (HSRP) is used to address the preceding issue.

HSRP Principle

HSRP is a Cisco proprietary router redundancy protocol. It allows multiple routers to be deployed in hot standby mode to eliminate network interruption caused by a single device failure.

To achieve HSRP, two or more routers on a network form a hot standby group, which is a virtual router.

HSRP uses the priority to determine the active router. The HSRP priority can be set manually.

If a router has a higher priority than all other routers, the router becomes the active router in the corresponding standby group. When Hello messages sent from the active router fail to be received within the hold time, the standby router with the highest priority becomes the active router. None of the hosts on the network detects the packets exchanged between routers.

The following figure shows the working mechanism of HSRP which is similar to that of VRRP:Figure 2-97  Working mechanism of HSRP 

Basic Concepts

• Standby group: indicates a group of devices which form a virtual router, which called HSRP router.

• Active router: indicates a router in a standby group that forwards packets on behalf of the virtual router.

• Standby router: indicates the first standby router in a standby group.

• Hello Time: indicates the interval for a device to send Hello messages. If the value is not specified, the Hello time depends on the interval when the active router successfully sends two Hello messages. Otherwise, the default value (3s) is used.

• Hold Time: indicates the interval for the HSRP router to declare an active router failure, which is characterized by being at least 3 times that of the Hello time

• Standby priority: indicates the priority of routers in an HSRP group, which is 100 by default. If the routers have the same priority, the router with the largest IP address becomes the active router. This address is the IP address of the interface have a HSRP configured.

• Virtual MAC address: indicates the MAC address of the virtual router. 00.00.0c.07.ac.2f is used as an example.

  • Vendor ID: indicates the first three bytes. 00.00.0c indicates the Cisco device.

  • HSRP code: indicates that the MAC address is used to identify one HSRP virtual router, which is always 07.ac.

  • HSRP group number: indicates the group ID, which identifies the number of the HSRP backup group. In this example, 2f is a hexadecimal value, which equals to the decimal value 47.

HSRP Message

A router configured with HSRP has the following three types of multicast messages:

• Hello: is sent when HSRP is running on the router that can become an active router or standby router. By default, HSRP routers send a Hello message every three seconds.

• Coup: is sent by a standby router when it becomes an active router.

• Resign: is sent by the active router when the active router wants to go Down or when a router with a higher priority sends a Hello message. This message indicates that the active router does not want to be the active router again.

HSRP messages are encapsulated in UDP packets using the UDP port number 1985. The destination IP address is the multicast IP address 224.0.0.2(means all-router) with a TTL value of 1.

HSRP State

HSRP defines six possible states of an HSRP-enabled router.

• Initial: indicates the state of HSRP upon startup. HSRP is not running at this time. A router enters this state when the configuration is changed or the interface is just started.

• Learn: indicates that a router is waiting for messages from the active router. At this time, the router has not received Hello messages from the active router and has not learned the virtual router IP address.

• Listen: indicates that the router is listening to Hello messages. When the virtual IP address is obtained, routers (but not the active and standby routers) remain in Listen state.

• Speak: indicates that the router sends Hello messages periodically and participates in the election of the active router or standby router.

• Standby: indicates the state of a router in a standby group. Standby group members monitor the active router, and are ready to take over services on the active router when it fails. Additionally, a group member periodically sends Hello messages to other members to notify its own state.

• Active: indicates the state of the active router (responsible for data transmission) in a standby group.

Comparison Between HSRP and VRRP

Comparison Between HSRP and VRRP Parameters

Table 2-117  Comparison between HSRP and VRRP parameters

Comparison Between HSRP and VRRP Commands

Table 2-118  Comparison between HSRP and VRRP commands

VRRP and HSRP Interworking Analysis

Based on the HSRP principle, the destination MAC address of HSRP packets is different from that of VRRP packets. Therefore, the two protocols cannot interwork with each other. When Huawei switches replace Cisco devices, HSRP can only be replaced by VRRP with the following two replacement methods:

• Replace HSRP with VRRP in Cisco devices before migration.

1. Shut down Layer 3 interfaces on an HSRP standby device. Some downlink services are affected during this process, and service interruption time is equal to the route switching time.

2. Change the configurations of the HSRP standby device to those of a VRRP master device and keep Layer 3 interfaces Down.

3. Shut down Layer 3 interfaces on the HSRP active device, and enable Layer 3 interfaces on a VRRP master device to complete service switching.

4. Change the configurations of the HSRP active device to those of a VRRP backup device, and enable Layer 3 interfaces to complete HSRP-to-VRRP switching.

5. Migrate services of the VRRP backup device to the Huawei VRRP backup device.

6. Migrate services of the VRRP master device to the Huawei VRRP master device.

Migrate downlinks on HSRP active and standby devices to Huawei VRRP master and backup devices.

1. Before migration, ensure that there are network-side routes on Huawei devices to minimize the service loss after the service platform switching begins.

2. Shut down downlink interfaces of the HSRP standby device, connect the physical cable to the VRRP master device, and keep interfaces Down.

3. Shut down downlink interfaces of the HSRP active device, and immediately enable interfaces on the VRRP master device to complete service switching.

4. Connect physical cables of the HSRP active device to the VRRP backup device, and enable interfaces on the VRRP backup device to complete the migration.

The first replacement method is not commonly used because service is interrupted for about 3 seconds during Step 3. Therefore, you are advised to use the second replacement method.

VRRP and HSRP Replacement Solution

Overview

HSRP and VRRP cannot interwork with each other. In the replacement solution, services on HSRP active and standby downlinks are migrated to the Huawei VRRP master and backup devices.

Networking Requirements

In Figure 2-98, Cisco switches are deployed. Two core switches constitute a stack. Two aggregation switches establish an Eth-Trunk in manual load balancing mode, and also establish OSPF neighbor relationships with core switches to receive and transmit routes. HSRP is used to implement virtual gateway backup. CiscoA is the master gateway and CiscoB is the backup gateway. In networking, the switches use Rapid PVST+ to prevent loops.

Huawei switches are used to replace two aggregation switches in the networking without changing the original network planning.

The following are HSRP configurations on the Cisco aggregation switches.

CiscoA

interface Vlan110  ip address 172.31.217.156 255.255.255.224  standby 110 ip 172.31.217.158  standby 110 priority 110  standby 110 preempt delay minimum 60  standby 110 authentication hsrp110 interface Vlan120  ip address 172.31.218.157 255.255.255.224  standby 120 ip 172.31.218.158  standby 120 authentication hsrp120

CiscoB

interface Vlan110  ip address 172.31.217.155 255.255.255.224  standby 110 ip 172.31.217.158  standby 110 authentication hsrp110 interface Vlan120  ip address 172.31.218.156 255.255.255.224  standby 120 ip 172.31.218.158  standby 120 priority 110  standby 120 preempt delay minimum 60  standby 120 authentication hsrp120

Figure 2-98  Networking for HSRP 

Configuration Roadmap

1. Configure OSPF for the Huawei switches to establish OSPF neighbor relationships with core switches to receive and transmit routes.

2. Configure link aggregation in manual load balancing mode between Huawei switches to load balance traffic.

3. Configure VRRP for Huawei switches to replace HSRP on the original Cisco switches to implement virtual gateway backup.

4. Configure Huawei switches to achieve interworking with other Cisco switches to prevent loops. For detailed interworking solution, see Interworking and Replacement Guide of Cisco Spanning Tree Protocols and Huawei MSTP and VBST.

5. Configure service forwarding functions for the Huawei switches by following the original network planning.

Procedure

1. Run the show standby brief command to check the device status.

   
   

   # Check the HSRP status of CiscoA.

   CiscoA# show standby brief                      P indicates configured to preempt.                      | Interface   Grp  Pri P State   Active          Standby         Virtual IP Vlan110     110  110 P Active  local           172.31.217.155  172.31.217.158 Vlan120     120  100   Standby 172.31.218.156  local           172.31.218.158
   

   # Check the HSRP status of CiscoB.

   CiscoB# show standby brief                      P indicates configured to preempt.                      | Interface   Grp  Pri P State   Active          Standby         Virtual IP Vlan110     110  100   Standby 172.31.217.156  local           172.31.217.158 Vlan120     120  110 P Active  local           172.31.218.157  172.31.218.158
   

   
   

2. Power on two Huawei switches and connect the links between them and the uplinks in bypass mode. Configure IP addresses for the core switches' downlink interfaces, and configure IP addresses and loopback addresses for the S series switches' uplink interfaces. Configure VRRP and configure HuaweiB as the master switch. Complete all the configurations on Huawei switches, and then shut down the VLANIF interfaces on the downlink access side.

   
   

   # Configure VRRP for HuaweiB. Configure HuaweiB as the master device in VRRP group 1, and the backup device in VRRP group 2.

   <HUAWEI> system-view [HUAWEI] sysname HuaweiB [HuaweiB] interface vlanif 110 [HuaweiB-Vlanif110] ip address 172.31.217.156 255.255.255.224 [HuaweiB-Vlanif110] vrrp vrid 110 virtual-ip 172.31.217.158 [HuaweiB-Vlanif110] vrrp vrid 110 priority 110 [HuaweiB-Vlanif110] vrrp vrid 110 preempt-mode timer delay 60 [HuaweiB-Vlanif110] vrrp vrid 110 authentication-mode simple cipher vrrp110 [HuaweiB-Vlanif110] quit [HuaweiB] interface vlanif 120 [HuaweiB-Vlanif120] ip address 172.31.218.157 255.255.255.224 [HuaweiB-Vlanif120] vrrp vrid 120 virtual-ip 172.31.218.158 [HuaweiB-Vlanif120] vrrp vrid 120 authentication-mode simple cipher vrrp120 [HuaweiB-Vlanif120] quit
   

   # Configure VRRP for HuaweiA. Configure HuaweiA as the backup device in VRRP group 1, and the master device in VRRP group 2.

   <HUAWEI> system-view [HUAWEI] sysname HuaweiA [HuaweiA] interface vlanif 110 [HuaweiA-Vlanif110] ip address 172.31.217.155 255.255.255.224 [HuaweiA-Vlanif110] vrrp vrid 110 virtual-ip 172.31.217.158 [HuaweiA-Vlanif110] vrrp vrid 110 authentication-mode simple cipher vrrp110 [HuaweiA-Vlanif110] quit [HuaweiA] interface vlanif 120 [HuaweiA-Vlanif120] ip address 172.31.218.156 255.255.255.224 [HuaweiA-Vlanif120] vrrp vrid 120 virtual-ip 172.31.218.158 [HuaweiA-Vlanif120] vrrp vrid 120 priority 110 [HuaweiA-Vlanif120] vrrp vrid 120 preempt-mode timer delay 60 [HuaweiA-Vlanif120] vrrp vrid 120 authentication-mode simple cipher vrrp120 [HuaweiA-Vlanif120] quit
   

   
   

3. Based on the Cisco device HSRP configurations, CiscoA is an active router. Shut down CiscoB's downlink interfaces, connect CiscoD's physical cables to HuaweiB, and keep the interface connecting CiscoD and HuaweiB Down.

   
   

   Figure 2-99  VRRP replacement (step 1) 
   

   
   

4. Shut down CiscoA's downlink interfaces and immediately enable HuaweiB's interfaces to complete service switching.

5. Test HuaweiB's configured services. If no exception is detected, connect the physical cables connecting CiscoA with CiscoD to HuaweiA. Enable the interfaces on HuaweiA to complete migration.

   
   

   Figure 2-100  VRRP replacement (step 2) 
   

   
   

6. Complete the access switch migration one by one based on the preceding steps.

7. Check the VRRP status of Huawei switches.

   
   

   # Check the VRRP status of HuaweiB.

   [HuaweiB] display vrrp brief VRID  State        Interface                Type     Virtual IP      ---------------------------------------------------------------- 110   Master       Vlanif110                Normal   172.31.217.158  120   Backup       Vlanif120                Normal   172.31.218.158  ---------------------------------------------------------------- Total:2     Master:1     Backup:1     Non-active:0
   

   # Check the VRRP status of HuaweiA.

   [HuaweiA] display vrrp brief VRID  State        Interface                Type     Virtual IP      ---------------------------------------------------------------- 110   Backup       Vlanif110                Normal   172.31.217.158  120   Master       Vlanif120                Normal   172.31.218.158  ---------------------------------------------------------------- Total:2     Master:1     Backup:1     Non-active:0
   

   
   

Configuration Files

HuaweiB configuration file

#                                                                                interface Vlanif110                                                               ip address 172.31.217.156 255.255.255.224                                        vrrp vrid 110 virtual-ip 172.31.217.158                                          vrrp vrid 110 priority 110                                                       vrrp vrid 110 preempt-mode timer delay 60                                        vrrp vrid 110 authentication-mode simple cipher %^%#!e<$Ql28W2S&k^Jl;mU#/)n59kqh%9rF_E8EFWIF%^%# # interface Vlanif120                                                               ip address 172.31.218.157 255.255.255.224                                        vrrp vrid 120 virtual-ip 172.31.218.158                                          vrrp vrid 120 authentication-mode simple cipher %^%#S0^rDt=7[I1a^EU\zzpSN2BoIHvN%H]o&0M2_A=&%^%# #

HuaweiA configuration file

#                                                                                interface Vlanif110                                                               ip address 172.31.217.155 255.255.255.224                                        vrrp vrid 110 virtual-ip 172.31.217.158                                          vrrp vrid 110 authentication-mode simple cipher %^%#%XlM,3)SX/Q{S+'bB9GA.1wI;wh^^&ReNC-c:K<L%^%# # interface Vlanif120                                                               ip address 172.31.218.156 255.255.255.224                                        vrrp vrid 120 virtual-ip 172.31.218.158                                          vrrp vrid 120 priority 110                                                       vrrp vrid 120 preempt-mode timer delay 60                                        vrrp vrid 120 authentication-mode simple cipher %^%#tkK~$%dlFD%Yv>"UzAd8=o6k:z6c0Z%K`pPueWC/%^%# #

See more please click  Comprehensive Configuration Examples

This is what I want to share with you today, thank you!