Configuring VRRP for Multiple Subnets on a Single Interface

FAQ Community

C

Cisco Engineer 2025-10-28

98

3052

Question：Configuring VRRP for Multiple Subnets on a Single Interface

Cisco Hands-on Technology

SPOTO Cisco Expert

Settle a problem：41

Answered：

1.0 Problem Statement

A common network design requirement is to provide redundant default gateways for multiple IP subnets that terminate on a pair of Layer 3 devices, such as Cisco IOS-XE routers or multilayer switches. A network administrator attempted to achieve this by configuring a single physical interface with a primary IP address and one or more secondary IP addresses.

For instance, an interface was configured as follows:

interface GigabitEthernet0/0/0
 ip address 10.10.10.1 255.255.255.0
 ip address 20.20.20.1 255.255.255.0 secondary

The administrator successfully configured a VRRP group for the primary subnet:

interface GigabitEthernet0/0/0
 vrrp 1 ip 10.10.10.254

However, when attempting to configure a second VRRP group to provide a virtual IP (VIP) for the secondary subnet, the configuration was rejected with the following error message:

Router(config-if)# vrrp 2 ip 20.20.20.254
% VRRP-4-BAD_VIP: VRRP group 2 on GigabitEthernet0/0/0 - VIP 20.20.20.254 is not on the same subnet as the primary interface IP address

The core issue is the inability of Cisco IOS-XE to associate a VRRP VIP with a secondary IP address on an interface.

2.0 Root Cause Analysis

The behavior observed is by design in Cisco’s VRRP implementation on IOS and IOS-XE platforms. The VRRP protocol is fundamentally tied to the interface’s primary IP address. When a VRRP group is configured, the system validates that the specified VIP belongs to the same subnet as the primary IP address assigned to that interface. It does not perform this validation check against any secondary IP addresses.

This design choice ensures a clear and unambiguous relationship between a VRRP group and its associated Layer 3 subnet. Using secondary addresses in this context would introduce ambiguity, as the router would have to decide which source IP address (primary or secondary) to use for VRRP control packets (advertisements) for each group, potentially leading to unpredictable behavior. Therefore, the software explicitly prevents this configuration to enforce a cleaner, more reliable design.

3.0 Recommended Solution: Utilizing 802.1q Subinterfaces

The correct and scalable architectural approach to providing redundant gateways for multiple subnets is to use logical subinterfaces, with each subinterface corresponding to a specific VLAN and IP subnet. This method aligns with networking best practices by logically separating broadcast domains and providing a dedicated Layer 3 presence for each subnet.

Each subinterface operates as an independent logical interface, possessing its own primary IP address. This allows a unique VRRP group to be configured on each subinterface, directly resolving the issue.

Implementation Steps:

Prepare the Physical Interface: The physical interface connecting to the Layer 2 switch should be configured as a trunk port and should not have an IP address assigned directly to it.
Create Subinterfaces: For each VLAN/subnet requiring a gateway, create a corresponding subinterface.
Configure Encapsulation: On each subinterface, specify the 802.1q VLAN ID using the encapsulation dot1q <vlan_id> command.
Assign IP Address: Assign the appropriate IP address to each subinterface. This will be the primary address for that logical interface.
Configure VRRP: Configure a distinct VRRP group on each subinterface with the desired VIP for that subnet.

4.0 Configuration Example

This example demonstrates the solution for the two subnets from the original problem: 10.10.10.0/24 (VLAN 10) and 20.20.20.0/24 (VLAN 20).

Router A (Master)

Higher VRRP priority (e.g., 110).
Preemption is enabled to ensure it reclaims the Master role upon recovery.

! Configure the physical interface as a trunk port
interface GigabitEthernet0/0/0
 no ip address
 negotiation auto
!
! Subinterface for VLAN 10 (10.10.10.0/24 subnet)
interface GigabitEthernet0/0/0.10
 description Gateway for VLAN 10 Users
 encapsulation dot1q 10
 ip address 10.10.10.1 255.255.255.0
 vrrp 10 priority 110
 vrrp 10 preempt
 vrrp 10 ip 10.10.10.254
!
! Subinterface for VLAN 20 (20.20.20.0/24 subnet)
interface GigabitEthernet0/0/0.20
 description Gateway for VLAN 20 Servers
 encapsulation dot1q 20
 ip address 20.20.20.1 255.255.255.0
 vrrp 20 priority 110
 vrrp 20 preempt
 vrrp 20 ip 20.20.20.254

Router B (Backup)

Default VRRP priority (100).
Preemption is typically not configured on the backup router.

! Configure the physical interface as a trunk port
interface GigabitEthernet0/0/0
 no ip address
 negotiation auto
!
! Subinterface for VLAN 10 (10.10.10.0/24 subnet)
interface GigabitEthernet0/0/0.10
 description Gateway for VLAN 10 Users
 encapsulation dot1q 10
 ip address 10.10.10.2 255.255.255.0
 vrrp 10 priority 100
 vrrp 10 ip 10.10.10.254
!
! Subinterface for VLAN 20 (20.20.20.0/24 subnet)
interface GigabitEthernet0/0/0.20
 description Gateway for VLAN 20 Servers
 encapsulation dot1q 20
 ip address 20.20.20.2 255.255.255.0
 vrrp 20 priority 100
 vrrp 20 ip 20.20.20.254

Note: The downstream switch ports connecting to these routers must be configured as 802.1q trunks, allowing VLANs 10 and 20.

5.0 Verification

To verify the configuration, use the show vrrp brief command on both routers. The output will clearly show the state of each VRRP group on its respective subinterface.

On Router A (Master):

RouterA# show vrrp brief
Interface          Grp Pri Time  Own Pre State   Master addr     Group addr
Gi0/0/0.10         10  110 3609      Y   Master  10.10.10.1      10.10.10.254
Gi0/0/0.20         20  110 3609      Y   Master  20.20.20.1      20.20.20.254

On Router B (Backup):

RouterB# show vrrp brief
Interface          Grp Pri Time  Own Pre State   Master addr     Group addr
Gi0/0/0.10         10  100 3609          Backup  10.10.10.1      10.10.10.254
Gi0/0/0.20         20  100 3609          Backup  20.20.20.1      20.20.20.254

This output confirms that Router A is the Master for both VIPs and Router B is the Backup, successfully providing gateway redundancy for both subnets.

6.0 Conclusion

While the use of secondary IP addresses is a valid feature for multi-netting a single broadcast domain, it is incompatible with the design of the VRRP protocol for providing gateway redundancy across different subnets. The correct, scalable, and Cisco-recommended method is to leverage 802.1q subinterfaces. This approach provides a clean, one-to-one mapping between a VLAN, an IP subnet, and a VRRP group, ensuring predictable and robust network operation.

SPOTO Cisco Expert

1.0 Problem Statement

2.0 Root Cause Analysis

3.0 Recommended Solution: Utilizing 802.1q Subinterfaces

4.0 Configuration Example

5.0 Verification

6.0 Conclusion

IPv6 Gateway Ping Failures in a Router-on-a-Stick Topology

Bulk VLAN Provisioning via Catalyst Center CLI Templates

Analysis and Enhanced Configuration for Guest WLAN Showing "Security: None"

Solution for Implementing Inter-VLAN Routing with Switched Virtual Interfaces (SVIs)

Recommended Solution for Inter-Building Network Connectivity (140m Distance)