HP ProCurve VRRP with different Physical and Virtual IP address


In case you are having HP ProCurve Core Switches, and need to configure redundancy on it, you need to configure VRRP to achieve it. I will assume you have the knowledge of HSRP for this post.

Somehow, HP ProCurve switches does not support a separate Virtual IP address than the Physical IP address for VRRP. Although, many other vendors do support it (Virtual IP being different than the Physical IP addresses (in the same network)). HP ProCurve requires that the Virtual IP address to be the same as the Master's Physical IP address. I am not sure why they want us to enforce the Virtual IP address being the same as Master's Physical IP address, since this creates issues, especially in Monitoring software. For e.g., you want to monitor both Cores by their IP address. Since they are running VRRP, and if master fails, the Master's IP address will still show as "UP", since the virtual IP (which is same as Master's Physical IP address) has shifted to the Backup/Secondary/Slave Core.

To avoid such scenario, there is a workaround for the same. This workaround is using the priority of VRRP. We will keep ALL the Core Switches in Backup state, and just adjust their priorities to set master accordingly. (Higher Priority wins. 255 is maximum, which is reserved for Owner/Manual Master). So it is recommended to use Priority 254 for the Master and less for others/Backup.

Consider the following VRRP configuration for vlan 10 (192.168.10.0/24). And the Gateway for the users is 192.168.10.254. The IP address for the Core Switches you prefer is 192.168.10.1 and 192.168.10.2 for Core-1 and Core-2 respectively.

The normal scenario would be:


MASTER
BACKUP
Core-1# conf t
Core-1 (config)# vlan 10
Core-1 (vlan-10)# ip address 192.168.10.254 255.255.255.0
Core-1 (vlan-10)# vrrp vrid 10
Core-1 (vlan-10-vrid-10)# owner
Core-1 (vlan-10-vrid-10)# virtual-ip-address 192.168.10.254 255.255.255.0
Core-1 (vlan-10-vrid-10)# enable
Core-1 (vlan-10-vrid-10)# exit
Core-2# conf t
Core-2 (config)# vlan 10
Core-2 (vlan-10)# ip address 192.168.10.2 255.255.255.0
Core-2 (vlan-10)# vrrp vrid 10
Core-2 (vlan-10-vrid-10)# backup
Core-2 (vlan-10-vrid-10)# virtual-ip-address 192.168.10.254 255.255.255.0
Core-2 (vlan-10-vrid-10)# enable
Core-2 (vlan-10-vrid-10)# exit
In this normal case, you gave IP address as follows:
Core-1: 192.168.10.254
Core-2: 192.168.10.2
Virtual-IP: 192.168.10.254

The workaround scenario would be:

MASTER
BACKUP
Core-1# conf t
Core-1 (config)# vlan 10
Core-1 (vlan-10)# ip address 192.168.10.1 255.255.255.0
Core-1 (vlan-10)# vrrp vrid 10
Core-1 (vlan-10-vrid-10)# backup
Core-1 (vlan-10-vrid-10)# virtual-ip-address 192.168.10.254 255.255.255.0
Core-1 (vlan-10-vrid-10)# priority 254
Core-1 (vlan-10-vrid-10)# enable
Core-1 (vlan-10-vrid-10)# exit
Core-2# conf t
Core-2 (config)# vlan 10
Core-2 (vlan-10)# ip address 192.168.10.2 255.255.255.0
Core-2 (vlan-10)# vrrp vrid 10
Core-2 (vlan-10-vrid-10)# backup
Core-2 (vlan-10-vrid-10)# virtual-ip-address 192.168.10.254 255.255.255.0
Core-2 (vlan-10-vrid-10)# priority 150
Core-2 (vlan-10-vrid-10)# enable
Core-2 (vlan-10-vrid-10)# exit

With this workaround, you gave IP address as follows:
Core-1: 192.168.10.1
Core-2: 192.168.10.2
Virtual-IP: 192.168.10.254

Comments

  1. NeelixxAugust 15, 2013 at 8:30 PM

    Nice job! Thanks! This stumped me for awhile. Had to get some sleep. The next day, I realized that just doing "router vrrp enable" isn't good enough. You ALSO have to do "vlan xxx vrid xxx enable". Ugghh.

    Thanks for this.

    ReplyDelete
  2. Mike KingAugust 28, 2013 at 10:38 PM

    Awesome, I was just looking for this!

    ReplyDelete
  3. UnknownOctober 22, 2013 at 7:24 PM

    Well the other solution is actually built into the protocol. Virtual-IP-Ping disable. When the master is down, backup will pass traffic in place of the master but will not respond to a ping. Seems less complicated and just as effective.

    ReplyDelete
  4. AnonymousSeptember 29, 2016 at 4:21 PM

    will it makes any difference if do not configure owner and backup on cores respectively. My assumption is, by the priority value itself it selects which should be the Master. please correct me .

    ReplyDelete
  5. UnknownSeptember 15, 2017 at 7:46 AM

    Simple and awesome.... Nice Work!

    ReplyDelete

Post a Comment

Popular posts from this blog

Show tech command in H3C

Normally we use " show tech " (show tech-support) command to gather ALL the information from a switch or a router. This applies to all Cisco networking devices as well as HP Procurve switches (I don't know about other vendors). The show tech command in H3C is display diagnostic-information . It does exactly the same thing as show tech, except that it will ask you if you want to save the output in a file [(inside flash), so that you can copy it using tftp], or display it on screen (as usual).
Read more

Telnet failed: Can't send after socket shutdown

Telnet failed: Can't send after socket shutdown. If you are getting this error on HP Procurve switch, it means that the Procurve switch is not accepting telnet sessions. A common reason for this is that you might have enabled SSH (and disabled telnet), or telnet on the swtich is not enabled at all (by default, telnet is disabled on Procurve switches). Telnet can be enabled on a Procurve switch as follows: Procurve-Switch (config)# telnet-server Thats it. Now you should be able to telnet your Procurve switch. Note: If you are in a different vlan than the management IP address of the switch, you need to set the correct default-gateway on the switch (only for edge switches).
Read more

3Com switches Password Recovery procedure

Use the password recovery method outlined below to define a new password for the admin username:  (This method works for most of the 3-Com switches) 1. Access the Command Line Interface and enter the user name "recover" and password "recover" to place your unit in password recovery mode. The unit will remain in password recovery mode for a maximum of 30 seconds, before it returns to the CLI login prompt.  2. During these 30 seconds, perform a hard reboot on the unit while it is still in password recovery mode by turning it off, waiting for a few seconds, and then switching it on again.  3. When the unit has rebooted following the hard reboot enter a new password for the "admin" user account.  4. Enter enable to leave password recovery enabled (to enable recovery of the password next time if you forget), or enter disable to turn it off (not recommended). You are now logged in as the default "admin" user. 
Read more