HP ProCurve VRRP with different Physical and Virtual IP address


In case you are having HP ProCurve Core Switches, and need to configure redundancy on it, you need to configure VRRP to achieve it. I will assume you have the knowledge of HSRP for this post.

Somehow, HP ProCurve switches does not support a separate Virtual IP address than the Physical IP address for VRRP. Although, many other vendors do support it (Virtual IP being different than the Physical IP addresses (in the same network)). HP ProCurve requires that the Virtual IP address to be the same as the Master's Physical IP address. I am not sure why they want us to enforce the Virtual IP address being the same as Master's Physical IP address, since this creates issues, especially in Monitoring software. For e.g., you want to monitor both Cores by their IP address. Since they are running VRRP, and if master fails, the Master's IP address will still show as "UP", since the virtual IP (which is same as Master's Physical IP address) has shifted to the Backup/Secondary/Slave Core.

To avoid such scenario, there is a workaround for the same. This workaround is using the priority of VRRP. We will keep ALL the Core Switches in Backup state, and just adjust their priorities to set master accordingly. (Higher Priority wins. 255 is maximum, which is reserved for Owner/Manual Master). So it is recommended to use Priority 254 for the Master and less for others/Backup.

Consider the following VRRP configuration for vlan 10 (192.168.10.0/24). And the Gateway for the users is 192.168.10.254. The IP address for the Core Switches you prefer is 192.168.10.1 and 192.168.10.2 for Core-1 and Core-2 respectively.

The normal scenario would be:


MASTER
BACKUP
Core-1# conf t
Core-1 (config)# vlan 10
Core-1 (vlan-10)# ip address 192.168.10.254 255.255.255.0
Core-1 (vlan-10)# vrrp vrid 10
Core-1 (vlan-10-vrid-10)# owner
Core-1 (vlan-10-vrid-10)# virtual-ip-address 192.168.10.254 255.255.255.0
Core-1 (vlan-10-vrid-10)# enable
Core-1 (vlan-10-vrid-10)# exit
Core-2# conf t
Core-2 (config)# vlan 10
Core-2 (vlan-10)# ip address 192.168.10.2 255.255.255.0
Core-2 (vlan-10)# vrrp vrid 10
Core-2 (vlan-10-vrid-10)# backup
Core-2 (vlan-10-vrid-10)# virtual-ip-address 192.168.10.254 255.255.255.0
Core-2 (vlan-10-vrid-10)# enable
Core-2 (vlan-10-vrid-10)# exit

In this normal case, you gave IP address as follows:
Core-1: 192.168.10.254
Core-2: 192.168.10.2
Virtual-IP: 192.168.10.254

The workaround scenario would be:

MASTER
BACKUP
Core-1# conf t
Core-1 (config)# vlan 10
Core-1 (vlan-10)# ip address 192.168.10.1 255.255.255.0
Core-1 (vlan-10)# vrrp vrid 10
Core-1 (vlan-10-vrid-10)# backup
Core-1 (vlan-10-vrid-10)# virtual-ip-address 192.168.10.254 255.255.255.0
Core-1 (vlan-10-vrid-10)# priority 254
Core-1 (vlan-10-vrid-10)# enable
Core-1 (vlan-10-vrid-10)# exit
Core-2# conf t
Core-2 (config)# vlan 10
Core-2 (vlan-10)# ip address 192.168.10.2 255.255.255.0
Core-2 (vlan-10)# vrrp vrid 10
Core-2 (vlan-10-vrid-10)# backup
Core-2 (vlan-10-vrid-10)# virtual-ip-address 192.168.10.254 255.255.255.0
Core-2 (vlan-10-vrid-10)# priority 150
Core-2 (vlan-10-vrid-10)# enable
Core-2 (vlan-10-vrid-10)# exit

With this workaround, you gave IP address as follows:
Core-1: 192.168.10.1
Core-2: 192.168.10.2
Virtual-IP: 192.168.10.254

Comments

  1. Nice job! Thanks! This stumped me for awhile. Had to get some sleep. The next day, I realized that just doing "router vrrp enable" isn't good enough. You ALSO have to do "vlan xxx vrid xxx enable". Ugghh.

    Thanks for this.

    ReplyDelete
  2. Awesome, I was just looking for this!

    ReplyDelete
  3. Well the other solution is actually built into the protocol. Virtual-IP-Ping disable. When the master is down, backup will pass traffic in place of the master but will not respond to a ping. Seems less complicated and just as effective.

    ReplyDelete
  4. will it makes any difference if do not configure owner and backup on cores respectively. My assumption is, by the priority value itself it selects which should be the Master. please correct me .

    ReplyDelete
  5. Simple and awesome.... Nice Work!

    ReplyDelete

Post a Comment

Popular posts from this blog

Show tech command in H3C

Telnet failed: Can't send after socket shutdown

3Com switches Password Recovery procedure