HPE Community
HPE Aruba Networking & ProVision-based
1821870 Members
3311 Online
109638 Solutions
New Discussion

Configuring VRRP/VRRPE

 
Bolton_School
Visitor

‎07-30-2014 05:58 AM - last edited on ‎08-03-2014 11:28 PM by

‎07-30-2014 05:58 AM - last edited on ‎08-03-2014 11:28 PM by

Configuring VRRP/VRRPE

I am researching how best to configure either VRRP or VRRPE on 2 HP 8206zl core switches.

 

First of all I can only see commands to enable VRRP not VRRPE so I'm gueesing VRRPE isn't available on this model of switch?

 

Regarding the setup we are setting this up for redundency for if onr of the 8206 core switches went down the other would take over as the default gateways of each vLAN.

We have serveral vLAN's with ACL's and i'm not sure how VRRP works with these.

Do I need to duplicate the ACL's and any ACL changes manually on both the core switches or will VRRP copy this configuration across?

Also does VRRP and the virtual gateways need to setup on each vLAN individually on both the core switches?

 

Thanks for your help.

 

Regards,

Dan

 

 

P.S. This thread has been moevd from witches, Hubs, Modems (Legacy ITRC forum) to ProCurve / ProVision-Based. - Hp forum moderator

0 Kudos
5 REPLIES 5
Vince-Whirlwind
Honored Contributor

‎07-30-2014 04:51 PM

‎07-30-2014 04:51 PM

Re: Configuring VRRP/VRRPE

I might be wrong, but I think VRRPE comes with a recent firmware, or maybe with the R versions of the chassis switches.

 

You should be able to configure VRRP with the Master's IP address for each VLAN also being the VRRP address for each VLAN.

I'm pretty sure I recall I also tested VRRP with a VRID address that wasn't actually owned by any of the VRRP members and that worked fine too.

 

Yes, if one switch goes down, the "backup" takes over routing functions. It's pretty seamless.

 

For ACLs, you have to configure them on both Cores identically.

 

Yes, you have to configure VLANs, VLAN interfaces, and VRIDs on both cores individually.

Essentially, you are configuring two cores with all the exact same VLAN and VLAN interface config, EXCEPT, you use a different IP address on the VLAN interface - eg,

 

Core#1

   VLAN10

      ip address 10.1.10.1

   IP VRRP VRID10

      owner

      ip address 10.1.10.1

      priority 255

      activate

 

Core#2

   VLAN10

      ip address 10.1.10.2

   IP VRRP VRID10

      backup

      ip address 10.1.10.1

      priority 100 [default]

      activate

  

What happens is once you have activated VRRP and joined the two cores togather, they start sending VRRP messages to each other and the "Owner" keeps telling the "Backup" to back off, so the owner "owns" the .1 address and does all the routing. If the VRRP messages between the core are interrupted (link down, chassis powered off, etc...) the Backup will start "owning" the .1 address and routing for it.

 

In the meantime, the Backup will operate perfectly normally in relation to any layer3 addresses it owns itself. (eg, if somebody in VLAN10 accidentally made their default gateway .2, then the Backup would be doing the routing for it and VRRP wouldn't affect this.)

 

Bolton_School
Visitor

‎07-31-2014 04:01 AM

‎07-31-2014 04:01 AM

Re: Configuring VRRP/VRRPE

Thanks for the reply Vince.

 

Ok I think I have it all straight in my head. I've searched through the release notes and theres no mention of VRRPE so I guess its not available in this firmware. We have network downtime next week to upgrade the firmware of the cores and setup VRRP so i'll be able to see if VRRPE is an option then and hopefully it all goes well.

 

Just to check though........so VRRP config needs to entered into each VLAN level config and not just once in the switch level config like config for routing etc?

 

0 Kudos
Vince-Whirlwind
Honored Contributor

‎07-31-2014 03:44 PM

‎07-31-2014 03:44 PM

Re: Configuring VRRP/VRRPE

That's right.

 

VRRP is configured individually for each routed interface.

 

If somebody has a test VLAN that doesn't need redundancy and just has one uplink to a test switch, then don't bather with VRRP. 

Otherwise, you probably want to configure VRRP on each of your VLAN interfaces that has an IP address.

 

Just watch the VRID. You can use values of 1-255 for VRID, so you can't create a VRID uniquely for each VLAN. You need to group your VLANs logically under a single VRID.

I'd love to read extended discussion on how people group their VLANs by VRID, in case there are any cool tricks you can do. Generally, I try to have as many VRIDs as I can, for maximum flexibility - you never know when the state of your infrastructure might dictate (for reason of efficient traffic flows) that different subnets use their own particular Core as their router.

0 Kudos
Bolton_School
Visitor

‎08-01-2014 02:27 AM

‎08-01-2014 02:27 AM

Re: Configuring VRRP/VRRPE

Ok so if I setup a VRID for each vLAN numbered the same as the vLAN would this work?

If I used the same VRID number for each vLAN would this also work?

 

 

 

Also do you know about Cisco ASA firewalls?

We have 2 Cisco ASA firewalls working as primary and secondary firewalls which at the moment connect to only one of the core switches. So we need to have both the core switches connected to the primary firewall or utilise the secondary firewall for the 2nd core switch. If you have knowledge of Cisco firewalls which way would be best to have both core switches connected to the firewalls and how would the firewalls be configured for this? I'm guessing both core switches need to be connected to the primary firwall and then the firewall use spanning-tree maybe?

 

0 Kudos
Vince-Whirlwind
Honored Contributor

‎08-03-2014 04:31 PM

‎08-03-2014 04:31 PM

Re: Configuring VRRP/VRRPE

Yes.

Yes.

Either way works. EXCEPT, you definitely want separate VRIDs for the subnet that connects you to the firewalls, for example.

 

I don't think Spanning-tree helps, because you are talking about 2 firewalls.

 

Think of the two "Cores" as being a "Stack", ie, a single virtual switch. 

How do you connect two firewalls to a single virtual switch? Both firewalls are patched to switchports that are in the same VLAN. The fact one of the ports is on one chassis and the other on the other chassis is irrelevant to the firewalls. The firewalls just see the single IP address. Presumably the firewalls are running HSRP.

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.