Using Secondary Addresses with VRRP

VRRP on the MDS in it’s basic form looks something like this:

Switch 1

interface GigabitEthernet2/1.10 ip address 192.168.10.2 255.255.255.0 switchport mtu 3000 no shutdown vrrp 10 priority 120 preempt address 192.168.10.2 no shutdown

1 2 3 4 5 6 7 8 9

interface GigabitEthernet2/1.10   ip address 192.168.10.2 255.255.255.0   switchport mtu 3000   no shutdown   vrrp 10     priority 120     preempt     address 192.168.10.2     no shutdown

In the above configuration, 192.168.10.2 is the actual physical interface address and 192.168.10.2 is also the VIP address.  This is common.  The other side may looking something like this:

Switch 2

interface GigabitEthernet2/1.10 ip address 192.168.10.3 255.255.255.0 switchport mtu 3000 no shutdown vrrp 10 priority 100 preempt address 192.168.10.2 no shutdown

1 2 3 4 5 6 7 8 9

interface GigabitEthernet2/1.10   ip address 192.168.10.3 255.255.255.0   switchport mtu 3000   no shutdown   vrrp 10     priority 100     preempt     address 192.168.10.2     no shutdown

On this side of the link 192.168.10.3 is the physical interface address and 192.168.10.2 is the VIP address.  These two MDS switches Switch 1 and Switch 2 are both members of VR10.  As per the VRRP specification, VRRP VIP addresses are for passing traffic onto real server IP addresses that they front end, they are not for the origination or destination of traffic.  If you try to send traffic to a VRRP VIP, these packets are by default dropped.  Some application’s on the  MDS may need to use the VRRP IP as an actual IP address to terminate traffic on.  For example iSNS (removed from current versions of SAN-OS / NX-OS) and IPSec.  With IPSec you may wish to use the VRRP as a destination of a IPSec tunnel for high availability.  To do this you have to add the “secondary” option like so:

Switch 2

interface GigabitEthernet2/1.10 ip address 192.168.10.3 255.255.255.0 switchport mtu 3000 no shutdown vrrp 10 priority 100 preempt address 192.168.10.2 secondary no shutdown

1 2 3 4 5 6 7 8 9

interface GigabitEthernet2/1.10   ip address 192.168.10.3 255.255.255.0   switchport mtu 3000   no shutdown   vrrp 10     priority 100     preempt     address 192.168.10.2 secondary     no shutdown

Realize on Switch 1, the primary IP address of G2/1.10 is configured the same as the VIP.  So in this case when Switch 1 is master it will be able to accept traffic terminated to the VIP address.  Switch 2 will not be able to receive traffic destined to the VIP address even with the secondary option configured unless it is the master!  So the key is, the secondary option allows a switch to be able to terminate traffic destined to the VIP, when it’s the master.  If we were terminated an IPSec session on the VIP of Switch 1 and Switch 2, and wanted it to failover, we would need to configure the secondary address for Switch 2.

Also realize this has an effect on the switch VRRP priorities.  A switch that uses the same VRRP address as its interface address automatically has a VRRP priority of 255.  A switch using a different address for its VRRP than it has on its interface has a priority of 100.  This applies to the use of the secondary command as well.  With or without the secondary command the interface will have a default priority of 100 if its interface address does not match the VRRP address.

Also realize, you cannot configure a secondary address to be the same as the interface address, if you try to do so you will get an error:

Switch 1(config-if)# no shut 2010 Oct  9 21:20:04.648 MDS2 %VRRP_ENG-2-INVALID_CONFIG: Cannot start the VR 10 on the interface GigabitEthernet2/1.10. Invalid IP configuration. Reason: A secondary VRRP address can't be configured as the primary IP address of the interface

1 2 3 4 5

Switch 1(config-if)# no shut 2010 Oct  9 21:20:04.648 MDS2 %VRRP_ENG-2-INVALID_CONFIG: Cannot start the VR 10 on the interface GigabitEthernet2/1.10. Invalid IP configuration. Reason: A secondary VRRP address can't be configured as the primary IP address of the interface