Using EEM scripts to ‘fix’ IOS VRRP limitation

One of the advantages of VRRP over HSRP as a first hop redundancy protocol is that one of the routers can have the same IP address as the virtual IP address. This is handy when you’re using public IPv4 space as it’s limited. If you had a firewall connected to two routers via HSRP, you need to have 1 public IP address for each router, plus one address for the virtual IP.

With VRRP one of the routers can have the same address, and hence you only need two addresses, not three.

However there is an issue, at least with IOS, when you do it this way. On Cisco’s IOS, if a router has the same address as the VIP, then the priority of that router cannot be reduced. It cannot be manually or automatically reduced via a track object. Let’s take the following diagram as a basis for the post:

R3 represents a host. R1 and R2 are my VRRP routers. Both of these routers connect to R4 via OSPF which sends the route 4.4.4.4/32 via OSPF.

This is the config of R1 and R2:

R1:
interface FastEthernet1/0
 ip address 10.0.123.200 255.255.255.0
 ip ospf 1 area 0
 vrrp 1 ip 10.0.123.200

R2:
interface FastEthernet1/0
 ip address 10.0.123.2 255.255.255.0
 ip ospf 1 area 0
 vrrp 1 ip 10.0.123.200

On R1, I would like to track the existence of 4.4.4.4/32 and decrement the priority of R1 if I lose that route. However I can’t do this if R1 is configured with the same IP address of the VIP:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#track 1 ip route 4.4.4.4 255.255.255.255 reachability
R1(config-track)#int fa1/0
R1(config-if)#vrrp 1 track 1 decrement 200
% tracking not supported on IP address owner

On Cisco’s page over here is specifically states this limitation:

 

Restrictions for VRRP Object Tracking
If a VRRP group is the IP address owner, its priority is fixed at 255 and can not be reduced through object tracking.

This removes the benefit of the router and VIP sharing the same IP address, but we can use event manager to get around this. Why not use event manager to check the status of the track object. When the track object goes down, then have event manager shut the LAN port. This will cause R2 to take over the VIP. Let’s configure it like so:

event manager applet SHUT_PORT
 event syslog pattern "%TRACKING-5-STATE: 1 ip route 4.4.4.4/32 reachability Up->Down"
 action 1.0 cli command "enable"
 action 1.1 cli command "conf t"
 action 1.2 cli command "interface FastEthernet1/0"
 action 1.3 cli command "shut"
 action 1.4 cli command "end"
 action 1.5 cli command "wr me"
 action 1.6 cli command "exit"

Of course, let’ not forget to configure the router to no shut the interface again when the route comes back:

event manager applet UN_SHUT_PORT
 event syslog pattern "%TRACKING-5-STATE: 1 ip route 4.4.4.4/32 reachability Down->Up"
 action 1.0 cli command "enable"
 action 1.1 cli command "conf t"
 action 1.2 cli command "interface FastEthernet1/0"
 action 1.3 cli command "no shut"
 action 1.4 cli command "end"
 action 1.5 cli command "wr me"
 action 1.6 cli command "exit"

Let’s have a quick look to see if this works. First let’s check the status of the VRRP group on R2:

R2#show vrrp
FastEthernet1/0 - Group 1
  State is Backup
  Virtual IP address is 10.0.123.200
  Virtual MAC address is 0000.5e00.0101
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100
  Master Router is 10.0.123.200, priority is 255
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec (expires in 3.025 sec)

Let’s shut R4’s link to R1. This will cause R1 to lose it’s route to 4.4.4.4/32 which in trurn causes the track object to go down. Event manager will pick up on this via the syslog and shut interface fa1/0. Finally this will cause R2 to take ownership of the group as it’s priority of 100 beats nothing.

R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#int fa1/0
R4(config-if)#shut

R1’s window:

R1#
*Jan  7 15:39:39.591: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet1/1 from FULL to DOWN, Neighbor Do                                      wn: Dead timer expired
R1#
*Jan  7 15:39:48.119: %TRACKING-5-STATE: 1 ip route 4.4.4.4/32 reachability Up->Down
*Jan  7 15:39:48.331: %VRRP-6-STATECHANGE: Fa1/0 Grp 1 state Master -> Init
R1#
*Jan  7 15:39:48.391: %SYS-5-CONFIG_I: Configured from console by  on vty0 (EEM:SHUT_PORT)
R1#
*Jan  7 15:39:50.335: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down
*Jan  7 15:39:51.335: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down

Which finally causes R2 to take the VIP:

R2#show vrrp
FastEthernet1/0 - Group 1
  State is Master
  Virtual IP address is 10.0.123.200
  Virtual MAC address is 0000.5e00.0101
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100
  Master Router is 10.0.123.2 (local), priority is 100
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec

Once we do a no shut on R4 again, event manager ensures R1’s port is brought up and it then takes over the VIP:

R4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R4(config)#int fa1/0
R4(config-if)#no shut

R1’s window:

R1#
*Jan  7 15:41:33.671: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet1/1 from LOADING to FULL, Loading Done
R1#
R1#
*Jan  7 15:41:48.119: %TRACKING-5-STATE: 1 ip route 4.4.4.4/32 reachability Down->Up
*Jan  7 15:41:48.247: %VRRP-6-STATECHANGE: Fa1/0 Grp 1 state Init -> Master
R1#
*Jan  7 15:41:48.315: %SYS-5-CONFIG_I: Configured from console by  on vty0 (EEM:UN_SHUT_PORT)
R1#
*Jan  7 15:41:50.231: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Jan  7 15:41:51.231: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up

R2 now sees R1 as the master again, and itself as the backup:

R2#show vrrp
FastEthernet1/0 - Group 1
  State is Backup
  Virtual IP address is 10.0.123.200
  Virtual MAC address is 0000.5e00.0101
  Advertisement interval is 1.000 sec
  Preemption enabled
  Priority is 100
  Master Router is 10.0.123.200, priority is 255
  Master Advertisement interval is 1.000 sec
  Master Down interval is 3.609 sec (expires in 2.997 sec)

EDIT (08/01/2013) – Jochen in the comments below mentioned that instead of tracking a syslog message showing the track state, I could just check the track state via EEM directly. I’ve tested this and it works just as expected. This is my final config on R1:

event manager applet SHUT_PORT
 event track 1 state down
 action 1.0 cli command "enable"
 action 1.1 cli command "conf t"
 action 1.2 cli command "interface FastEthernet1/0"
 action 1.3 cli command "shut"
 action 1.4 cli command "end"
 action 1.5 cli command "wr me"
 action 1.6 cli command "exit"
event manager applet UN_SHUT_PORT
 event track 1 state up
 action 1.0 cli command "enable"
 action 1.1 cli command "conf t"
 action 1.2 cli command "interface FastEthernet1/0"
 action 1.3 cli command "no shut"
 action 1.4 cli command "end"
 action 1.5 cli command "wr me"
 action 1.6 cli command "exit"

© 2009-2020 Darren O'Connor All Rights Reserved -- Copyright notice by Blog Copyright