Wired Intelligent Edge (Campus Switching and Routing)

How To Test Default Gateway Fail-Over Using VRRP (Simple Topology)

MVP
MVP
Requirement:

We are testing here the simple default gateway fail-over for the client which will have Virtual Router ID set on themselves as the Default gateway.

Aruba 3810M Switch is acting as unmanaged L2 device connected to, two L3 Aruba 6300M Switches where we would have the VRRP configured.

Below is the simple topology for testing default gateway fail-over using Virtual Router Redundancy Protocol (VRRP):-

 

Below is the Devices Information in the topology:-

1. C7-6300M-48G-4p-50G-SFP-PoE-C6-42-JL661A - Host_Name- 631

2. C7-6300M-48G-4p-50G-SFP-PoE-C7-36-JL661A - Host_Name- 632

3. C7-3810M-24G-PoE+C6-17-JL073A - Host_Name- Sw1

4. C7-W10-9 and C7-W10-8 - Two hosts with the Default Gateway set to the Virtual IP.



Solution:

Why we need VRRP (Virtual Router Redundancy Protocol) ?

 

Answer: -

VRRP is an open standard protocol, which is used to provide redundancy in a network. It is a L3 redundancy Protocol (Protocol number-112). The number of routers (group members) in a group acts as a virtual logical router which will be the default gateway of all the local hosts. If one router goes down, one of the other group members can take place for the responsibilities for forwarding the traffic.

In simple terms, all the LAN network hosts used to talk to other network or to the internet via its default gateway. In the scenario where default gateway of the host is down, the node would not have any access to the network, its resources and the internet. In case we have a secondary or tertiary router in the network, it is always a tedious task to know the IP addresses of all the routers and change them manually in case of failure.

 

Hence, we use VRRP as the solution.

 

In VRRP, we enable LAN routers with this protocol "router vrrp enable" globally and we set virtual router IP for a LAN segment in the same subnet, which must be used as the Default Gateway on the hosts. 

Hence, in case of physical router / device failure, we should not have to change the default gateway as it is a Virtual one and VRRP takes care of the fail-over depending upon the VRRP configuration on the routers.

 

Some important terms related to VRRP :

 

1. Virtual IP address : An IP address is assigned as a virtual IP address from the local subnet which is configured as a default gateway for all the local hosts.


2. Virtual MAC address : A virtual MAC address is automatically generated by taking the last 8 bytes as the VRRP group number in hexadecimal. In VRRP, MAC address used is 0000.5e00.01xx. Here, xx is the VRRP group number in hexadecimal. The virtual MAC address for IPv6 subnets is 00:00:5E:00:02:VRID.


3. Master router : One of the VRRP group member is elected as master router which takes up the responsibility of forwarding the local traffic. The router is elected on the basis of VRRP priority. If some group member of VRRP group has higher priority than others then it will be elected as master router. If the priority is same(by default 100) then the router having the highest IP address will become the master router.

 

4. Backup routers : Only one of the VRRP group member will become the master router while others will be back up routers. In case the master router fails then one of the backup routers will become master router.

 

5. Master advertisement timer : The master router multicast the keep-alive messages at 224.0.0.18 in every 1 second.

 

6. Master dead timer : The time in which the backup router will take up the responsibilities of Master router if the master advertisement message is not received. It is, by default, 3.69 seconds.

 

7. Preempt : It is a state in which one of the backup routers become the master router (when the master router goes down). Also, when the master router comes up again, it will become the master router as it’s priority is still higher.

- Preempt mode : When a router operates in preempt mode, it will take over the virtual router master role whenever it has a higher vrrp priority than the current Master. The router sees the advertisements with a lower priority and sends a preempt message telling the device with the lower priority to become a backup router. It also begins sending its own advertisements. The preempt mode applies when you add a new router with higher priority to the virtual router. It also applies when a failed master is restored. That router assumes the master role again because it has the higher priority.

- Non-preempt mode : If a router is using non-preempt mode, the router does not attempt to take over the master role from an active master even if it has a higher priority. This behavior holds the true whether the backup router with a higher priority is a new device or a former master that failed.



Configuration:

VRRP router is configured to run the VRRP protocol in conjunction with one or more other routers attached to a LAN. In a VRRP configuration, one router is elected as the virtual router master, with the other routers acting as backups in case the virtual router master fails.

 

In our topology, we are using non-preempt mode. Hence, no vrrp priority given to any of the routers, everything is in the default state. So once we test the fail-over, the New Master and the Backup routers continue to be in the same role.

 

Here is the VLAN based configuration of the Router 631 and 632

 

Router 631:

631# show running-config
Current configuration:
!
!Version ArubaOS-CX FL.10.04.0010
!export-password: default
hostname 631
user admin group administrators password ciphertext AQBapWNo21HtklBu3nc4jykqbfYz1m11WztRxhgMQZnLdh+qYgAAAGIdZ2XFf16mQKggCG5CwFyLb1b2QDofSft6uUGlfhfVZ5m7R+p/IY3wbEuPMLE5MYk2/axHK7VyUQwgTMANJJtXwQntjtHg9qd/AinXIxSmt/J7O94CcfjUPlyJyVE54Ewp
router vrrp enable
!
!
!
!
ssh server vrf default
ssh server vrf mgmt
!
!
!
!
!
vlan 1
spanning-tree
interface mgmt
    no shutdown
    ip dhcp
interface 1/1/1
    no shutdown
    no routing
    vlan access 1
interface 1/1/2
    no shutdown
    no routing
    vlan access 1
interface 1/1/3
    no shutdown
    no routing
    vlan access 1
interface 1/1/4
    no shutdown
    no routing
    vlan access 1
interface 1/1/5
    no shutdown
    no routing
    vlan access 1
interface 1/1/6
    no shutdown
    no routing
    vlan access 1
interface 1/1/7
    no shutdown
    no routing
    vlan access 1
interface 1/1/8
    no shutdown
    no routing
    vlan access 1
interface 1/1/9
    no shutdown
    no routing
    vlan access 1
interface 1/1/10
    no shutdown
    no routing
    vlan access 1
interface 1/1/11
    no shutdown
    no routing
    vlan access 1
interface 1/1/12
    no shutdown
    no routing
    vlan access 1
interface 1/1/13
    no shutdown
    no routing
    vlan access 1
interface 1/1/14
    no shutdown
    no routing
    vlan access 1
interface 1/1/15
    no shutdown
    no routing
    vlan access 1
interface 1/1/16
    no shutdown
    no routing
    vlan access 1
interface 1/1/17
    no shutdown
    no routing
    vlan access 1
interface 1/1/18
    no shutdown
    no routing
    vlan access 1
interface 1/1/19
    no shutdown
    no routing
    vlan access 1
interface 1/1/20
    no shutdown
    no routing
    vlan access 1
interface 1/1/21
    no shutdown
    no routing
    vlan access 1
interface 1/1/22
    no shutdown
    no routing
    vlan access 1
interface 1/1/23
    no shutdown
    no routing
    vlan access 1
interface 1/1/24
    no shutdown
    no routing
    vlan access 1
interface 1/1/25
    no shutdown
    no routing
    vlan access 1
interface 1/1/26
    no shutdown
    no routing
    vlan access 1
interface 1/1/27
    no shutdown
    no routing
    vlan access 1
interface 1/1/28
    no shutdown
    no routing
    vlan access 1
interface 1/1/29
    no shutdown
    no routing
    vlan access 1
interface 1/1/30
    no shutdown
    no routing
    vlan access 1
interface 1/1/31
    no shutdown
    no routing
    vlan access 1
interface 1/1/32
    no shutdown
    no routing
    vlan access 1
interface 1/1/33
    no shutdown
    no routing
    vlan access 1
interface 1/1/34
    no shutdown
    no routing
    vlan access 1
interface 1/1/35
    no shutdown
    no routing
    vlan access 1
interface 1/1/36
    no shutdown
    no routing
    vlan access 1
interface 1/1/37
    no shutdown
    no routing
    vlan access 1
interface 1/1/38
    no shutdown
    no routing
    vlan access 1
interface 1/1/39
    no shutdown
    no routing
    vlan access 1
interface 1/1/40
    no shutdown
    no routing
    vlan access 1
interface 1/1/41
    no shutdown
    no routing
    vlan access 1
interface 1/1/42
    no shutdown
    no routing
    vlan access 1
interface 1/1/43
    no shutdown
    no routing
    vlan access 1
interface 1/1/44
    no shutdown
    no routing
    vlan access 1
interface 1/1/45
    no shutdown
    no routing
    vlan access 1
interface 1/1/46
    no shutdown
    no routing
    vlan access 1
interface 1/1/47
    no shutdown
    no routing
    vlan access 1
interface 1/1/48
    no shutdown
    no routing
    vlan access 1
interface 1/1/49
    no shutdown
    no routing
    vlan access 1
interface 1/1/50
    no shutdown
    no routing
    vlan access 1
interface 1/1/51
    no shutdown
    no routing
    vlan access 1
interface 1/1/52
    no shutdown
    no routing
    vlan access 1
interface vlan1
    ip address 192.168.1.1/24
    vrrp 1 address-family ipv4
        address 192.168.1.100 primary
        no shutdown
        exit

https-server vrf default
https-server vrf mgmt
vsf member 1
    type jl661a
 

 

Router 632:

632# show running-config
Current configuration:
!
!Version ArubaOS-CX FL.10.04.0020
!export-password: default
hostname 632
user admin group administrators password ciphertext AQBapV+/Yi1256TClTCoKhTpeCQ93e/EChSoyIh61FoK98UJYgAAADBYG2sxTCjKndOqhJ5QPWVkQMiMS0y90D4hZpiyWiO5LMpQHgEN/KSB9ShsGF89r01kdAo8MoD8BdMIV16cbOnVO7UoAsb9qY/+tgJ8SNsqMFic+eBH99QgJXEJxWxRVWzQ
router vrrp enable
!
!
!
!
ssh server vrf default
ssh server vrf mgmt
!
!
!
!
!
vlan 1
spanning-tree
interface mgmt
    no shutdown
    ip dhcp
interface 1/1/1
    no shutdown
    no routing
    vlan access 1
interface 1/1/2
    no shutdown
    no routing
    vlan access 1
interface 1/1/3
    no shutdown
    no routing
    vlan access 1
interface 1/1/4
    no shutdown
    no routing
    vlan access 1
interface 1/1/5
    no shutdown
    no routing
    vlan access 1
interface 1/1/6
    no shutdown
    no routing
    vlan access 1
interface 1/1/7
    no shutdown
    no routing
    vlan access 1
interface 1/1/8
    no shutdown
    no routing
    vlan access 1
interface 1/1/9
    no shutdown
    no routing
    vlan access 1
interface 1/1/10
    no shutdown
    no routing
    vlan access 1
interface 1/1/11
    no shutdown
    no routing
    vlan access 1
interface 1/1/12
    no shutdown
    no routing
    vlan access 1
interface 1/1/13
    no shutdown
    no routing
    vlan access 1
interface 1/1/14
    no shutdown
    no routing
    vlan access 1
interface 1/1/15
    no shutdown
    no routing
    vlan access 1
interface 1/1/16
    no shutdown
    no routing
    vlan access 1
interface 1/1/17
    no shutdown
    no routing
    vlan access 1
interface 1/1/18
    no shutdown
    no routing
    vlan access 1
interface 1/1/19
    no shutdown
    no routing
    vlan access 1
interface 1/1/20
    no shutdown
    no routing
    vlan access 1
interface 1/1/21
    no shutdown
    no routing
    vlan access 1
interface 1/1/22
    no shutdown
    no routing
    vlan access 1
interface 1/1/23
    no shutdown
    no routing
    vlan access 1
interface 1/1/24
    no shutdown
    no routing
    vlan access 1
interface 1/1/25
    no shutdown
    no routing
    vlan access 1
interface 1/1/26
    no shutdown
    no routing
    vlan access 1
interface 1/1/27
    no shutdown
    no routing
    vlan access 1
interface 1/1/28
    no shutdown
    no routing
    vlan access 1
interface 1/1/29
    no shutdown
    no routing
    vlan access 1
interface 1/1/30
    no shutdown
    no routing
    vlan access 1
interface 1/1/31
    no shutdown
    no routing
    vlan access 1
interface 1/1/32
    no shutdown
    no routing
    vlan access 1
interface 1/1/33
    no shutdown
    no routing
    vlan access 1
interface 1/1/34
    no shutdown
    no routing
    vlan access 1
interface 1/1/35
    no shutdown
    no routing
    vlan access 1
interface 1/1/36
    no shutdown
    no routing
    vlan access 1
interface 1/1/37
    no shutdown
    no routing
    vlan access 1
interface 1/1/38
    no shutdown
    no routing
    vlan access 1
interface 1/1/39
    no shutdown
    no routing
    vlan access 1
interface 1/1/40
    no shutdown
    no routing
    vlan access 1
interface 1/1/41
    no shutdown
    no routing
    vlan access 1
interface 1/1/42
    no shutdown
    no routing
    vlan access 1
interface 1/1/43
    no shutdown
    no routing
    vlan access 1
interface 1/1/44
    no shutdown
    no routing
    vlan access 1
interface 1/1/45
    no shutdown
    no routing
    vlan access 1
interface 1/1/46
    no shutdown
    no routing
    vlan access 1
interface 1/1/47
    no shutdown
    no routing
    vlan access 1
interface 1/1/48
    no shutdown
    no routing
    vlan access 1
interface 1/1/49
    no shutdown
    no routing
    vlan access 1
interface 1/1/50
    no shutdown
    no routing
    vlan access 1
interface 1/1/51
    no shutdown
    no routing
    vlan access 1
interface 1/1/52
    no shutdown
    no routing
    vlan access 1
interface vlan1
    ip address 192.168.1.2/24
    vrrp 1 address-family ipv4
        address 192.168.1.100 primary
        no shutdown
        exit

https-server vrf default
https-server vrf mgmt
vsf member 1
    type jl661a
 

L2 Switch Configuration:

Sw1# show running-config

Running configuration:

; JL073A Configuration Editor; Created on release #KB.16.03.0004
; Ver #10:08.7f.ff.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:52

hostname "Sw1"
module 1 type jl073x
flexible-module A type JL083A
snmp-server community "public" unrestricted
oobm
   ip address dhcp-bootp
   exit
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-24,A1-A4
   no ip address
   exit
****************************** You may see in the Switch we have not configured anything, it is just carrying and forwarding the default VLAN's broadcast (VLAN 1).

 

Here is the Host's / Client's IP Address configuration with Virtual IP address:

 

Client 1 IP Address Configuration:

 

Client 2 IP Address Configuration:

 

Connectivity From Routers to the Switch and hence to the clients:

Router 631(Port # 1/1/1) <<=>> (Port # 1) Aruba 3810M

Router 632(Port # 1/1/1) <<=>> (Port # 2) Aruba 3810M

Aruba 3810M (Port # 23) <<=>> Client 1 - IP Address - 192.168.1.254  255.255.255.0 |Default Gateway - 192.168.1.100

Aruba 3810M (Port # 24) <<=>> Client 1 - IP Address - 192.168.1.155  255.255.255.0 |Default Gateway - 192.168.1.100

 

We can enable VRRP on the VLANs as well as the connected interfaces or the routed interfaces. VRRP Configuration for the routed interface or the connected interface is almost identical:-

Below is the VRRP configuration on the routers at the interface level:

 

Router 631 Configuration:

interface 1/1/1
    no shutdown
    routing
    ip address 192.168.1.1/24
    vrrp 1 address-family ipv4
        address 192.168.1.100 primary
        no shutdown
        exit
 

Router 632 Configuration:

interface 1/1/1
    no shutdown
    routing
    ip address 192.168.1.2/24
    vrrp 1 address-family ipv4
        address 192.168.1.100 primary
        no shutdown
        exit

**NOTE: We are testing this for default Gateway fail-over on the client so that the client should always be able to reach 192.168.1.100 which is set as the Default Gateway. We are not testing Preempt mode.



Verification

In order to verify VRRP configuration, we can shutdown or disable any of the ports either from Aruba 3810M Switch (Port # 1 or Port # 2) or Aruba 6300M (Port # 1/1/1) Switches running continuous pings from any of the clients connected below Aruba 3810M Switch.

As Aruba 3810M and Aruba 6300M Switches are in the same LAN network, first we need to check which router is in the role of Master. So that we may test the failover.

Command to be run on both the Aruba 6300 Switches:- "show vrrp brief" and "show vrrp"

 

 

Hence, to fail-over from Master to Backup Router, we will disable Port # 1 from Aruba 3810M, which will allow Backup router to be the Master and vice-versa and also we may see a minimal icmp packet drop on the client.

 

However, when we re-enable the port on the Aruba 3810M Switch, the current VRRP role will not be changed. 

 

 

Hereby, we would be able to see the non-preemptive behavior of the VRRP protocol.

 

 

Version history
Revision #:
1 of 1
Last update:
‎03-20-2020 01:52 PM
Updated by:
 
Comments

Hi, nice article. A suggestion: if I were you I'll remove Tags 8400x, 10.00.0003 and ArubaOS-CX 8320 (they make very little sense here).

 

Then, in my opinion the VRRP above setup should be better contextualized especially because Aruba CX where used: I mean, it would be quite reasonable to explain also why (and when) to prefer such VRRP approach on standalone ArubaOS-CX based switches pair if - actually - on the very same pair a VSF can be quite easily deployed providing similar (if not better) results/features.

 

If the reason is to simulate the real case of a unmanaged switch (necessarily Layer 2) then make it explicit saying that a LAG LACP against an Aruba CX 6300 VSF is not possible (and that approach would be required by VSF to benefit of its features) since the access device is just unmanageable and it doesn't admit any configuration. In any case such case if very border line (a corner case): it will be easier to replace a unmanageable access device than not to use (so to renounce) the natural VSF/VSX approach on a newly deployed Aruba CX switches pair.