Cisco Catalyst SD-WAN Interfaces Configuration Guide, Releases 26.x and Later

PDF

Configure VRRP

Updated: April 24, 2026

Want to summarize with AI?

Log in

Configuring VRRP using Cisco Catalyst SD-WAN Manager

Procedure

To have an interface run the Virtual Router Redundancy Protocol (VRRP), which allows multiple routers to share a common virtual IP address for default gateway redundancy, select the VRRP tab. Then click Add New VRRP and configure the following parameters:

Parameter Name Description

Group ID

Enter the virtual router ID, which is a numeric identifier of the virtual router. You can configure a maximum of 24 groups.

Range: 1 through 255

Priority

Enter the priority level of the router. There router with the highest priority is elected as primary VRRP router. If two routers have the same priority, the one with the higher IP address is elected as primary VRRP router.

Range: 1 through 254

Default: 100
Timer (milliseconds)

Specify how often the primary VRRP router sends VRRP advertisement messages. If subordinate routers miss three consecutive VRRP advertisements, they elect a new primary VRRP routers.

Range: 100 through 40950 milliseconds

Default: 100 msecs

Note

When the timer is 100 ms for the VRRP feature template on Cisco IOS XE Catalyst SD-WAN devices, the VRRP fails if the traffic is high on LAN interface.

Track OMP​

Track Prefix List

By default, VRRP uses of the state of the service (LAN) interface on which it is running to determine which router is the primary virtual router. if a router loses all its WAN control connections, the LAN interface still indicates that it is up even though the router is functionally unable to participate in VRRP. To take WAN side connectivity into account for VRRP, configure one of the following:

Track OMP: Click On for VRRP to track the Overlay Management Protocol (OMP) session running on the WAN connection. If the primary VRRP router loses all its OMP sessions, VRRP elects a new default gateway from those that have at least one active OMP session.

Note

From Cisco IOS XE Catalyst SD-WAN Release 17.18.1a, enabling Track OMP changes the device CLI command from vrrp track omp shutdown to vrrp track omp decrement 10 .

Track Prefix List: Track both the OMP session and a list of remote prefixes, which is defined in a prefix list configured on the local router. If the primary VRRP router loses all its OMP sessions, VRRP failover occurs as described for the Track OMP option. In addition, if reachability to all of the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic is dropped while the routers determine the primary VRRP router.

IP Address

 Enter the IP address of the virtual router. This address must be different from the configured interface IP addresses of both the local router and the peer running VRRP.

Configure a prefix list for VRRP using Configuration Groups

Before you begin

On the Configuration > Configuration Groups page, choose SD-WAN as the solution type.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Configuration Groups.
2.

Create and configure Prefix List for VRRP in a Policy Object Profile.

  1. Choose the Prefix policy object from the Select Policy Object drop-down list.

  2. Enter the Prefix List Name.

  3. In the Internet Protocol field, click IPv4 or IPv6.

  4. Under Add Prefix, enter the prefix for the list. Optionally, click the Choose a file link to import a prefix list.

  5. Click Save The following table describe the options for configuring the prefix.

    Table 1. Prefix List

    Field

    Description

    Prefix List Name

    Enter a name for the prefix list.

    Internet Protocol

    Specifies the internet protocol. The options are IPv4 and IPv6.

What to do next

Also see Deploy a configuration group.

Configure a prefix list for VRRP using a feature template

To configure a prefix list,

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Policy > Localized Policy.
2.

From the Custom Options drop-down list, click Lists.

  1. Click Prefix from the left pane, and click New Prefix List.

  2. In Prefix List Name, enter a name for the prefix list.

  3. Choose IPv4 as the Internet Protocol.

  4. In Add Prefix, enter the prefix entries separated by commas.

  5. Click Add.
3.

Click Next and configure Forwarding Classes/QoS.
4.

Click Next and configure Access Control Lists.
5.

Click Next and in Route Policy pane, select a relevant route policy and click , and click Edit to add the newly added prefix list.
6.

From the Match pane, click AS Path List and in the Address, choose the newly added prefix list.
7.

Click Save Match and Actions.
8.

Click Next and enter the Policy Name and Policy Description in the Policy Overview screen.
9.

Click Save Policy.

Configure a prefix list for VRRP using a device template

To configure the Prefix List to the VRRP using a device template,

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Templates > Device Templates.

In Cisco vManage Release 20.7.x and earlier releases, Device Templates is titled Device.
2.

Select a relevant device template and click , then click Edit to edit the template details.
3.

From Policy, select the policy with the newly added prefix list and click Update.
4.

Click Feature Templates.
5.

Select a relevant device template and click and click Edit to edit the template details.
6.

Click VRRP.
7.

Select a relevant group ID and click the pen icon to associate the new prefix-list to the VRRP details and click the Track Prefix List drop-down to enter the newly added prefix-list name.
8.

Click Save Changes and then Update. Click Device Templates and select the policy with the newly added prefix list.
9.

Click and click Attach Devices. From Available Devices, double-click the relevant device to move it to Selected Devices, and then click Attach.

Configure VRRP using CLI commands

To provide redundant gateway service on Cisco Catalyst SD-WAN devices by configuring VRRP on service-side interfaces using CLI commands.

Before you begin

  • VRRP must be configured on service-side VPNs (not on VPN 0 or 512, except for the physical interface when using subinterfaces).

  • Ensure required interfaces and subinterfaces are created and enabled.

  • Adjust MTU for 802.1Q tagging if needed (not required for Cisco IOS XE Catalyst SD-WAN Release 17.4.1a and later).

Procedure

1.

Enter the target VPN .

Example:

vpn <vpn-id>
2.

Select and enable the interface (or subinterface). Select and enable the interface (or subinterface).

Example:

interface <irbnumber>[.<subinterface>]
no shutdown
3.

Assign an IP address to the interface.

Example:

ipv4 ip-address
4.

Within each VRRP group, the router with the higher priority value is elected as primary VRRP. By default, each virtual router IP address has a default primary election priority of 100, so the router with the higher IP address is elected as primary. You can modify the priority value, setting it to a value from 1 through 254.

Example:

priority number
5.

The primary VRRP periodically sends advertisement messages, indicating that it is still operating. If backup routers miss three consecutive VRRP advertisements, they assume that the primary VRRP is down and elect a new primary VRRP. By default, these messages are sent every second. You can change the VRRP advertisement time to be a value from 1 through 3600 seconds.

Example:

timer seconds
6.

By default, VRRP uses the state of the interface on which it is running, to determine which router is the primary virtual router. This interface is on the service (LAN) side of the router. When the interface for the primary VRRP goes down, a new primary VRRP virtual router is elected based on the VRRP priority value. Because VRRP runs on a LAN interface, if a router loses all its WAN control connections, the LAN interface still indicates that it is up even though the router is functionally unable to participate in VRRP. To take WAN side connectivity into account for VRRP, you can configure one of the following:

  1. Track the Overlay Management Protocol (OMP) session running on the WAN connection when determining the primary VRRP virtual router.

    Example:

    track-omp

    If all OMP sessions are lost on the primary VRRP router, VRRP elects a new default gateway from among all the gateways that have one or more active OMP sessions even if the gateway chosen has a lower VRRP priority than the current primary VRRP router. With this option, VRRP failover occurs once the OMP state changes from up to down, which occurs when the OMP hold timer expires. Until the hold timer expires and a new primary VRRP is elected, all overlay traffic is dropped. When the OMP session recovers, the local VRRP interface claims itself as primary VRRP even before it learns and installs OMP routes from the Cisco Catalyst SD-WAN Controllers. Until the routers are learned, traffic is also dropped.

  2. Track both the OMP session and a list of remote prefixes. list-name is the name of a prefix list configured with the policy lists prefix-list command on the Cisco vEdge device :

    Example:

    track-prefix-list list-name

If all OMP sessions are lost, VRRP failover occurs as described for the track-omp option. In addition, if reachability to all the prefixes in the list is lost, VRRP failover occurs immediately, without waiting for the OMP hold timer to expire, thus minimizing the amount of overlay traffic is dropped while the router determines the primary VRRP.

As discussed above, the IEEE 802.1Q protocol adds 4 bytes to each packet's length. Hence, for packets to be transmitted, either increase the MTU size on the physical interface in VPN 0 (the default MTU is 1500 bytes) or decrease the MTU size on the VRRP interface.

For devices running on Cisco IOS XE Catalyst SD-WAN Release 17.14.1a and later, adjusting the MTU size is not required, both the physical interface and sub interface can have the same MTU size.

Here is an example of configuring VRRP on redundant physical interfaces. For subinterface 2, vEdge1 is configured to act as the primary VRRP, and for subinterface 3, vEdge2 acts as the primary VRRP.

vEdge1# show running-config vpn 1 
vpn 1
 interface ge0/6.2
  ip address 10.2.2.3/24
  mtu      1496
  no shutdown
  vrrp 2
   ipv4 10.2.2.1
   track-prefix-list vrrp-prefix-list1
  !
 !
 interface ge0/6.3
  ip address 10.2.3.5/24
  mtu      1496
  shutdown
  vrrp 3
   ipv4 10.2.3.11
   track-prefix-list vrrp-prefix-list1
  !
 !
!

vEdge2# show running-config vpn 1 
vpn 1
 interface ge0/1.2
  ip address 10.2.2.4/24
  mtu      1496
  no shutdown
  vrrp 2
   ipv4 10.2.2.1
   track-prefix-list vrrp-prefix-list2
  !
 !
 interface ge0/1.3
  ip address 10.2.3.6/24
  mtu      1496
  no shutdown
  vrrp 3
   ipv4 10.2.3.11
   track-prefix-list vrrp-prefix-list2
  !
 !
!

vEdge1# show interface vpn 1 
 
                             IF      IF                                                              TCP                                   
                             ADMIN   OPER    ENCAP  PORT                              SPEED          MSS                 RX       TX       
VPN  INTERFACE  IP ADDRESS   STATUS  STATUS  TYPE   TYPE     MTU   HWADDR             MBPS   DUPLEX  ADJUST  UPTIME      PACKETS  PACKETS  
-------------------------------------------------------------------------------------------------------------------------------------------
1    ge0/6.2    10.2.2.3/24  Up      Up      vlan   service  1496  00:0c:29:ab:b7:94  10     full    0       0:00:05:52  0        357      
1    ge0/6.3    10.2.3.5/24  Down    Down    vlan   service  1496  00:0c:29:ab:b7:94  -      -       0       -           0        0 

vEdge1# show vrrp interfaces       

                                                                                           MASTER                             TRACK   PREFIX  
              GROUP  VIRTUAL                                 VRRP    OMP    ADVERTISEMENT  DOWN                               PREFIX  LIST    
VPN  IF NAME  ID     IP         VIRTUAL MAC        PRIORITY  STATE   STATE  TIMER          TIMER   LAST STATE CHANGE TIME     LIST    STATE   
----------------------------------------------------------------------------------------------------------------------------------------------
1    ge0/6.2  2      10.2.2.1   00:0c:29:ab:b7:94  100       master  down   1              3       2015-05-01T20:09:37+00:00  -       -       
     ge0/6.3  3      10.2.3.11  00:00:00:00:00:00  100       init    down   1              3       0000-00-00T00:00:00+00:00  -       -

In the following example, Router-1 is the primary VRRP, because it has a higher priority value than Router 2:

Router-1# show running-config vpn 1
vpn 1
!
 interface ge0/1.15
  ip address 10.10.1.2/24
  mtu         1496
  no shutdown
  vrrp 15
   priority  110
   track-omp
   ipv4 10.20.23.1
  !
 !
!

Router-1# show vrrp vpn 1
                                                                                                MASTER                             TRACK   PREFIX  
               GROUP                                              VRRP    OMP    ADVERTISEMENT  DOWN                               PREFIX  LIST    
VPN  IF NAME   ID     VIRTUAL IP     VIRTUAL MAC        PRIORITY  STATE   STATE  TIMER          TIMER   LAST STATE CHANGE TIME     LIST    STATE   
---------------------------------------------------------------------------------------------------------------------------------------------------
1    ge0/1.1   1      10.20.22.1     00:0c:bd:08:79:a4  100       backup  up     1              3       2016-01-13T03:10:55+00:00  -       -       
     ge0/1.5   5      10.20.22.193   00:0c:bd:08:79:a4  100       backup  up     1              3       2016-01-13T03:10:55+00:00  -       -       
     ge0/1.10  10     10.20.22.225   00:0c:bd:08:79:a4  100       backup  up     1              3       2016-01-13T03:10:55+00:00  -       -       
     ge0/1.15  15     10.20.23.1     00:0c:bd:08:79:a4  110       master  up     1              3       2016-01-13T03:10:56+00:00  -       -       
     ge0/1.20  20     10.20.24.1     00:0c:bd:08:79:a4  100       backup  up     1              3       2016-01-13T03:10:56+00:00  -       -       
     ge0/1.25  25     10.20.25.1     00:0c:bd:08:79:a4  110       master  up     1              3       2016-01-13T03:10:56+00:00  -       -       
     ge0/1.30  30     10.20.25.129   00:0c:bd:08:79:a4  100       backup  up     1              3       2016-01-13T03:10:56+00:00  -       -   


Router-1# show vrrp vpn 1 interfaces ge0/1.15 groups 15

                                                                               MASTER                             TRACK   PREFIX  
GROUP                                            VRRP    OMP    ADVERTISEMENT  DOWN                               PREFIX  LIST    
ID     VIRTUAL IP   VIRTUAL MAC        PRIORITY  STATE   STATE  TIMER          TIMER   LAST STATE CHANGE TIME     LIST    STATE   
----------------------------------------------------------------------------------------------------------------------------------
1      10.20.33.1  00:0c:bd:08:79:a4  110       master  up     1              3       2016-01-13T03:10:56+00:00  -       -       

Router-2# show running-config vpn 1
vpn 1
!
 interface ge0/1.15
  ip address 10.10.1.3/24
  mtu         1496
  no shutdown
  vrrp 15
   track-omp
   ipv4 10.20.23.1
  !
 !
!

Router-2# show vrrp vpn 1 interfaces groups

                                                                                           MASTER                             TRACK   PREFIX  
          GROUP                                              VRRP    OMP    ADVERTISEMENT  DOWN                               PREFIX  LIST    
IF NAME   ID     VIRTUAL IP     VIRTUAL MAC        PRIORITY  STATE   STATE  TIMER          TIMER   LAST STATE CHANGE TIME     LIST    STATE   
----------------------------------------------------------------------------------------------------------------------------------------------
ge0/1.1   1      10.20.32.1     00:0c:bd:08:2b:a5  110       master  up     1              3       2016-01-13T00:22:15+00:00  -       -       
ge0/1.5   5      10.20.32.193   00:0c:bd:08:2b:a5  110       master  up     1              3       2016-01-13T00:22:15+00:00  -       -       
ge0/1.10  10     10.20.32.225   00:0c:bd:08:2b:a5  110       master  up     1              3       2016-01-13T00:22:15+00:00  -       -       
ge0/1.15  15     10.20.33.1     00:0c:bd:08:2b:a5  100       backup  up     1              3       2016-01-13T03:10:56+00:00  -       -       
ge0/1.20  20     10.20.34.1     00:0c:bd:08:2b:a5  110       master  up     1              3       2016-01-13T00:22:16+00:00  -       -       
ge0/1.25  25     10.20.35.1     00:0c:bd:08:2b:a5  100       backup  up     1              3       2016-01-13T03:10:56+00:00  -       -       
ge0/1.30  30     10.20.35.129   00:0c:bd:08:2b:a5  100       master  up     1              3       2016-01-13T00:22:16+00:00  -       -    

Router-2# show vrrp vpn 100 interfaces groups 15

                                                                                         MASTER                             TRACK   PREFIX  
          GROUP                                            VRRP    OMP    ADVERTISEMENT  DOWN                               PREFIX  LIST    
IF NAME   ID     VIRTUAL IP   VIRTUAL MAC        PRIORITY  STATE   STATE  TIMER          TIMER   LAST STATE CHANGE TIME     LIST    STATE   
--------------------------------------------------------------------------------------------------------------------------------------------
ge0/0.15  15     10.20.33.1   00:0c:bd:08:2b:a5  100       backup  up     1              3       2016-01-13T03:10:56+00:00  -       -

Cisco SD-WAN supports configuring multiple VRRP groups on an interface. A use case for configuring this is where primary and secondary IP addresses have been assigned to a single interface. On one interface, you can configure:

  • One primary IP address

  • Up to four secondary IP addresses

To support each of these IP addresses, you can configure up to 5 VRRP groups (each with a unique group ID) on an interface, subinterface, or integrated routing and bridging (IRB) interface that supports VRRP groups.

The following is an example of configuring 5 VRRP groups on 1 interface.

vpn 2
 interface ge0/4.2
  ip address 10.0.1.10/24
  ip secondary-address 10.0.2.10/24
  ip secondary-address 10.0.3.10/24
  ip secondary-address 10.0.4.10/24
  mtu 1496
  no shutdown
  vrrp 1
   priority 101
    ipv4 10.0.1.1
!
  vrrp 2
   ipv4 10.0.1.2
!
  vrrp 3
   priority 101
    ipv4 10.0.2.1
!
  vrrp 4
   ipv4 10.0.3.1
!
  vrrp 5
   ipv4 10.0.4.1
  !
 !
!