How to Setup VRRP for Router Failover

ciscocisco-catalystcisco-commandsfhrpvrrp

I'm doing my VRRP networking lab. My understanding is if the Master failed then Backup will take over. In this scenarios, I have two layer 3 SW are connected together over LACP, and these two layer 3 switches are connected one Access Switch over LACP and one Firewall with static IPs. Now, two layer 3 sw are doing VRRP over SVI (Vlan 400). Now, if I shutdown one interface on Master that connected to FW then suppose Backup VRRP will take over, but the PC connected to Access can't ping FW IP (192.168.122.192). Any suggestion how I fix it?

here is configuration file
Core SW1

interface Loopback0
 ip address 10.10.10.10 255.255.255.255
!
interface Port-channel10
 switchport trunk allowed vlan 172,201,300,400
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Port-channel20
 switchport trunk allowed vlan 172,201,300,400
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Port-channel30
 switchport trunk allowed vlan 172,201,300,400
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet1/2
 no switchport
 description ---connected to DHCP---
 ip address 10.100.100.1 255.255.255.0
 ip helper-address 10.100.100.2
 negotiation auto
!
interface GigiabitEthernet 2/2
no switchport
description --connected to FW---
ip address 10.10.10.1 255.255.255.252
negotiation auto

interface Vlan400
 ip address 10.10.0.10 255.255.254.0
 ip helper-address 10.100.100.2
 vrrp 10 description -Load balance-
 vrrp 10 ip 10.10.0.1
 vrrp 10 ip 10.10.0.2 secondary
 vrrp 10 priority 254
 vrrp 10 authentication text cisco
!
router ospf 1
 network 10.10.0.0 0.0.3.255 area 1
 network 10.10.10.0 0.0.0.3 area 0
 network 10.10.10.10 0.0.0.0 area 0
 network 10.30.0.0 0.0.3.255 area 1
 network 10.100.100.0 0.0.0.255 area 1

CoreSW2

interface Loopback0
 ip address 20.20.20.20 255.255.255.255
!
interface Port-channel20
 switchport access vlan 300
 switchport trunk allowed vlan 172,201,300,400
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Port-channel40
 switchport trunk allowed vlan 172,201,300,400
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Port-channel45
 switchport trunk allowed vlan 172,201,300,400
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet2/0
 no switchport
 description ---Connected to FireWall---
 ip address 20.20.20.1 255.255.255.252
 ip ospf priority 0
 negotiation auto
!
interface Vlan400
 ip address 10.10.0.11 255.255.252.0
 ip helper-address 10.100.100.2
 vrrp 10 description -Load balance-
 vrrp 10 ip 10.10.0.1
 vrrp 10 ip 10.10.0.2 secondary
 vrrp 10 authentication text cisco
!
router ospf 1
 network 10.10.0.0 0.0.3.255 area 1
 network 10.30.0.0 0.0.3.255 area 1
 network 20.20.20.0 0.0.0.3 area 0
 network 20.20.20.20 0.0.0.0 area 0

FireWall

interface Loopback0
 ip address 40.40.40.40 255.255.255.255

!
interface GigabitEthernet2/0
 ip address 10.10.10.2 255.255.255.252
 description ---CoreSW1---
 ip nat inside
 ip virtual-reassembly
 ip ospf priority 255
 negotiation auto
!
interface GigabitEthernet3/0
 ip address 20.20.20.2 255.255.255.252
 description --CoreSW2---
 ip nat inside
 ip virtual-reassembly
 ip ospf priority 255
!
router ospf 1
 log-adjacency-changes
 network 10.10.10.0 0.0.0.3 area 0
 network 20.20.20.0 0.0.0.3 area 0
 network 40.40.40.40 0.0.0.0 area 0
 network 192.168.122.0 0.0.0.255 area 2 (ISP)

Best Answer

One thing I noticed is that you are not tracking the links to the firewall, and you have no way configured for VRRP to fail over to the other switch if a link goes down. You will fail over if the entire switch fails.

You probably want the priority on the primary VRRP switch to be set at 105, and the backup as 100, then decrement by 10 if the link to the firewall fails. Configure preempt so that the backup will preempt the primary, and that the primary will resume when the link comes back up. You should also put in a delay so that a bouncing link doesn't cause the primary to jump back and forth.

Something like:

Core SW1:

track 100 interface GigiabitEthernet2/2 line-protocol
!
interface Vlan400
 ip address 10.10.0.10 255.255.254.0  !*** doesn't match the other switch ***
 ip helper-address 10.100.100.2
 vrrp 10 ip 10.10.0.1
 vrrp 10 priority 105
 vrrp 10 preempt delay 30
 vrrp 10 track 100 decrement 10
 vrrp 10 authentication text cisco
!

Core SW2:

interface Vlan400
 ip address 10.10.0.11 255.255.252.0  !*** doesn't match the other switch ***
 ip helper-address 10.100.100.2
 vrrp 10 ip 10.10.0.1
 vrrp 10 priority 100
 vrrp 10 preempt delay 30
 vrrp 10 authentication text cisco
!

Also, with switches, it is a really bad idea to try to load balance the way you have it configured. You want the STP root bridge to match the FHRP primary, otherwise you will get suboptimal traffic flows. If you want, you can have one switch as the STP root FHRP primary for the odd numbered VLANs, and the other switch the same for the even numbered VLANs, or some other such scheme, but all the traffic from a VLAN will go to the STP root, which should be the FHRP primary for that VLAN.

Related Solutions

Cisco ASA Transparent Mode Configuration – Layer2 DMZ with VLAN Translation

I don't have SUP7 to test, but it works on SUP6 and SUP32, I would presume SUP7 retains this functionality.

I've tested between JNPR M320 <-> SUP32, and 'vlan mapping JNPR SUP32' works just fine.

There is no need for QinQ, what the QinQ option does is it adds top tag to one particularly tag. So switchport vlan mapping 1042 dot1q-tunnel 42 would map incoming [1042] stack to [42 1042] stack. As opposed to switchport vlan mapping 1042 42 which maps incoming dot1q Vlan [1042] to dot1q Vlan [42].

JNPR M320 config:

{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# show 
vlan-id 1042;
family inet {
    address 10.42.42.1/24;
}
{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# run show interfaces ge-0/1/0               
Physical interface: ge-0/1/0, Enabled, Physical link is Up
  Interface index: 135, SNMP ifIndex: 506
  Description: B: SUP32 ge5/1
  Link-level type: Flexible-Ethernet, MTU: 9192, Speed: 1000mbps, BPDU Error: None,
  MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled,
  Auto-negotiation: Enabled, Remote fault: Online
  Device flags   : Present Running
  Interface flags: SNMP-Traps Internal: 0x4000
  CoS queues     : 8 supported, 8 maximum usable queues
  Current address: 00:12:1e:d5:90:7f, Hardware address: 00:12:1e:d5:90:7f
  Last flapped   : 2013-02-19 09:14:29 UTC (19w6d 21:12 ago)
  Input rate     : 4560 bps (5 pps)
  Output rate    : 6968 bps (4 pps)
  Active alarms  : None
  Active defects : None
  Interface transmit statistics: Disabled

SUP32 config:

SUP32#show run int giga5/1
Building configuration...

Current configuration : 365 bytes
!
interface GigabitEthernet5/1
 description F: M320 ge-0/1/0
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 switchport vlan mapping enable
 switchport vlan mapping 1042 42
 mtu 9216
 bandwidth 1000000
 speed nonegotiate
 no cdp enable
 spanning-tree portfast edge trunk
 spanning-tree bpdufilter enable
end

SUP32#show ru int vlan42
Building configuration...

Current configuration : 61 bytes
!
interface Vlan42
 ip address 10.42.42.2 255.255.255.0
end

SUP32#sh int GigabitEthernet5/1 vlan mapping  
State: enabled
Original VLAN Translated VLAN
------------- ---------------
  1042           42  

SUP32#sh int vlan42                           
Vlan42 is up, line protocol is up 
  Hardware is EtherSVI, address is 0005.ddee.6000 (bia 0005.ddee.6000)
  Internet address is 10.42.42.2/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:09, output 00:01:27, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  L2 Switched: ucast: 17 pkt, 1920 bytes - mcast: 0 pkt, 0 bytes
  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
  L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
     38 packets input, 3432 bytes, 0 no buffer
     Received 21 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     26 packets output, 2420 bytes, 0 underruns
     0 output errors, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out

And

SUP32#ping 10.42.42.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.42.42.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SUP32#sh arp | i 10.42.42.1
Internet  10.42.42.1             12   0012.1ed5.907f  ARPA   Vlan42
SUP32#show mac address-table dynamic address 0012.1ed5.907f
Legend: * - primary entry
        age - seconds since last seen
        n/a - not available

  vlan   mac address     type    learn     age              ports
------+----------------+--------+-----+----------+--------------------------
Active Supervisor:
*  450  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   50  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   40  0012.1ed5.907f   dynamic  Yes          0   Gi5/1
*   42  0012.1ed5.907f   dynamic  Yes          5   Gi5/1


user@m320# run ping 10.42.42.2 count 2 
PING 10.42.42.2 (10.42.42.2): 56 data bytes
64 bytes from 10.42.42.2: icmp_seq=0 ttl=255 time=0.495 ms
64 bytes from 10.42.42.2: icmp_seq=1 ttl=255 time=0.651 ms

--- 10.42.42.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.495/0.573/0.651/0.078 ms

{master}[edit interfaces ge-0/1/0 unit 1042]
user@m320# run show arp no-resolve |match 10.42.42.2 
00:05:dd:ee:60:00 10.42.42.2      ge-0/1/0.1042        none

Cisco ASA Routing Issue

Best practice wise - should I let the router or the ASA handle NAT (Overloading)?

In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).

In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.

I can ping the 172.16.2.2 interface but not 172.16.2.1 from a pc connected to one of the layer 2 switches (proves intervlan routing is working -- i have a 172.20.100.8 address on the PC). Why can't I ping 172.16.2.1 from a PC but I can from the Layer 3 Switch?

The ASA 172.16.2.2 is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27. The echo-reply is actually being forwarded to the Router 172.16.1.1 via the default route.

And most of all -- Why can't I get out to the Internet from the Layer 3 switch?

Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10