VRRP notes.
1. Set of the definitions.
VRP Router - A router tuning VRRP protocol. Can participate as one or more virtual routers.
Virtual router - an abstract router it consist of Virtual router identifier and a set of associated ipv4 or ipv6 addresses across a LAN. VRRP router may backup one or more virtual routers. Can be identified by Virtual router ID and
Ip address owner - The vrrp router , that has a virtual router's IPvX address as a real interface address.
Primary IP address - in ipv4 - it is the address selected from the set of real interface addresses, in IPv6 it is a link-local address of the interface.
Virtual Router Master - is a VRRP router, assuming the responsibility of forwarding packets sent to IPVX address associated with virtual router.
Virtual Router Backup - the set of VRRP routers, available to assume forwarding responsibility for a virtual router when a master router fails.
2. Features of VRRP
- IPvX address backup
- path preference among the redundant routers based on any environment (path cost or speed, any other considerations)
- none of another backup routers will become a master until current master router fails
- using a virtual router MAC-address as a source in a packets sent by the Master router
- send periodic messages wit proper intervals
- You can use the same interface within a different vrrp groups???
3. VRRP PROTOCOL
The purpose of VRRP packet is to communicate with all VRRP routers. The priority and a state of the Master router associated with VRID
VRRP packets protecting the IPvX address are sent encapsulated in IPvX packet with next parameters:
- They are sent to special multicast address: 224.0.0.18 for IPv4 and FF02:0:0:0:0:0:0:12 for IPv6. Source address is the primary address of the interface of a VRRP router.
- TTL value - 255
- IPv4 Protocol number = 112
- HOP limit = 255
- IPv6 next header protocol = 112
VRRP protocol fields descriptions:
- Version :2,3
- type = always 1 (ADVERTISEMENT)
- Virtual Router ID (VRID)
- Priority (8 bit field 1-255) default is 100 and 0 priority has a special meaning ---> Master stop to participate in VRRP
- count IPvX address is a number of IPvX addresses in VRRP advertisement
- RSVD - the field must be set to 0 and ignored
- Max advertising interval - 12 bit field that indicates time interval in centiseconds 100=1 sec between advertisements. for stable protocol working this value should be equal on all VRRP routers (master and backup) lower transmission rates than their Backup routers are unstable. This is because low-priority nodes configured to faster rates could come online and decide they should be Masters before they have heard anything from the higher-priority Master with a slower rate.
- CHECKSUM is the 16 bit field
- IPvX address - this field specifies addresses that are backed up by the virtual router. it either ipv4 or ipv6 adressess. if more than one address in this field it's recommended to all router to send these addresses in the same order.
4. Protocol state machine
Parameters per virtual router:
VRID - Configurable item range 1-255. Ther is no default
Priority - value to be used in master election. default is 100 range 1-255. 0 - releasing responsibility for the virtual router by Master.
IPv6_Addresses or IPv4_Addresses - one or more ip addresses associated with virtual router.
Advertisement_Interval- the time between ADVERTISEMENTs sent (default 1 second)
Master_Adver_Interval - Advertisement_Interval time contained in ADVERTISEMENTs received from MASTER router
Skew_Time - the time to skew Master_Down_Interval = (((256-priority)*Master_Adver_Interval) /256)
Master_Down_Interval - the interval for Backup router to declare Master down = 3*Master_Adver_Interval + skew_time
Preempt_Mode - true or false value controls whether a higher-priority backup router preempts a lower-priority backup router (preempt bit is set in advertisement)
Accept_Mode - allow to receive packets addressed to vrrp router's non-virtual interface.
Virtual_Router_MAC_Address - a MAC address used for the source mac address in VRRP advertisements and advertised in the arp responses.
Timers
Master_Down_Timer
Adver_Timer
INIT state:
-router wait for a startup event
- router wait itself to become a MASTER or a BACKUP router
IF router owns the ip address associated with virtual router then: it sets the ADVER_timer to Advertisement_Interval, sends advertisements and transition to the MASTER
ELSE router sets ADVERTISEMENT interval, sets Master_Down_Interval to Advertisement_Interval, sets the Master_Down_Timer to Master_Down_Interval and transition to the BACKUP
BACKUP state:
Router in backup state monitors the state of the master router
staying in this state vrrp router must do the following:
-must not response to the ARP request for the virtual address
-must discard packets with a destination MAC-address of the virtual router MAC-address
-must not accept packets addressed to the virtual router
While router in the backup state following events can happen:
-- shutdown event received
-> cancel the master_down_timer
-> transition to INIT state
-- Master_Down_Timer fires
-> send an advertisement, send arp for IPv4 or ND for IPv6
-> set the Adver_Timer to Advertisement_interval
-- Advertisement received
-> If the priority in advertisement is zero, then set the master_down_timer to skew_time
-> Check received advertisement for a preemption and priority inside the advertisement and as a result reelects the MASTER
MASTER state:
The router in a master state is functioning as a forwarding router
-- Advertisement received
->transition to BACKUP only if there is a higher priority inside received ADVERTISEMENT or with the same priority, but greater IPvX address then local
5. VRRP packets
- VRRP packets are sent with source mac address of virtual router and source ip address of primary interface
- VRRP packets sends to a multicast group 224.0.0.18
- The virtual mac address assigned by IANA and looks like 00-00-5e-00-01-[VRID] for IPv4 and 00-00-5e-00-02-[VRID] for IPv6
- VRRP master must response to the ARP request with virtual MAC address
- VRRP master router should never send ARP with it's own physical interface address as a source
6. Configuring VRRP
vrrp config in IOS applies per interface:
basic config:
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.0vrrp 23 ip 10.10.10.10 <---- 23 is specified VRRP group [VRID] for VRRP process
end
ip address 10.10.10.1 255.255.255.0vrrp 23 ip 10.10.10.10 <---- 23 is specified VRRP group [VRID] for VRRP process
end
Change default priority for a VRRP router in the group:
R1(config-if)#vrrp 23 priority 250
You can change advertisement interval:
R1(config-if)#vrrp 23 timers advertise 100
Configure vrrp router as a backup router to learn the advertising interval of the master router:
R1(config-if)#vrrp 23 timers learn
Configure authentication for VRRP for security purposes:
R1(config-if)#vrrp 23 authentication md5 key-string myplaintextpass
With an authentication mismatch you will see a message:
%VRRP-4-BADAUTHTYPE: Bad authentication from 10.10.10.1, group 23, type 254, expected 0
You can tune preempt feature:
R1(config-if)#vrrp 23 preempt delay minimum 200
Disable VRRP with following command:
R1(config-if)#vrrp 23 shutdown
%VRRP-6-STATECHANGE: Gi0/0 Grp 23 state Master -> Init
After disabling, VRRP process transition to INIT state
Configure track feature for VRRP convergence:
R1(config-if)#vrrp 23 track 1 decrement 90
R1(config)#track 1 interface fa 1/0 line-protocol
R1(config)#track 1 interface fa 1/0 line-protocol
Verify:
R1(config-track)#do sh vrrp
GigabitEthernet0/0 - Group 23
TEST_VRRP_GROUP
State is Init
Virtual IP address is 10.10.10.10
Virtual MAC address is 0000.5e00.0117
Advertisement interval is 100.000 sec
Preemption enabled, delay min 200 secs
Priority is 250
Track object 1 state Up decrement 90 <----here is our configuration
Authentication MD5, key-string
Master Router is 10.10.10.2, priority is 100
Master Advertisement interval is 10.000 sec
Master Down interval is 300.023 sec
Manually shut tracked interface:
R1(config-track)#int fa 1/0
R1(config-if)#shut
%TRACKING-5-STATE: 1 interface Fa1/0 line-protocol Up->Down <------ tracking event coming
R1(config-if)#do sh vrrp
GigabitEthernet0/0 - Group 23
TEST_VRRP_GROUP
State is Init
Virtual IP address is 10.10.10.10
Virtual MAC address is 0000.5e00.0117
Advertisement interval is 100.000 sec
Preemption enabled, delay min 200 secs
Priority is 160 (cfgd 250) <------------------ as you can see the priority value decremented on 90
Track object 1 state Down decrement 90
Authentication MD5, key-string
Master Router is 10.10.10.2, priority is 100
Master Advertisement interval is 10.000 sec
Master Down interval is 300.023 sec
GigabitEthernet0/0 - Group 23
TEST_VRRP_GROUP
State is Init
Virtual IP address is 10.10.10.10
Virtual MAC address is 0000.5e00.0117
Advertisement interval is 100.000 sec
Preemption enabled, delay min 200 secs
Priority is 250
Track object 1 state Up decrement 90 <----here is our configuration
Authentication MD5, key-string
Master Router is 10.10.10.2, priority is 100
Master Advertisement interval is 10.000 sec
Master Down interval is 300.023 sec
Manually shut tracked interface:
R1(config-track)#int fa 1/0
R1(config-if)#shut
%TRACKING-5-STATE: 1 interface Fa1/0 line-protocol Up->Down <------ tracking event coming
R1(config-if)#do sh vrrp
GigabitEthernet0/0 - Group 23
TEST_VRRP_GROUP
State is Init
Virtual IP address is 10.10.10.10
Virtual MAC address is 0000.5e00.0117
Advertisement interval is 100.000 sec
Preemption enabled, delay min 200 secs
Priority is 160 (cfgd 250) <------------------ as you can see the priority value decremented on 90
Track object 1 state Down decrement 90
Authentication MD5, key-string
Master Router is 10.10.10.2, priority is 100
Master Advertisement interval is 10.000 sec
Master Down interval is 300.023 sec
You can specify secondary virtual router interface for the same VRRP group:
R1(config-if)#int gi 0/0
R1(config-if)#vrrp 23 ip 172.19.1.1 secondary
% warning: address is not within a subnet on this interface <---- you should configure address within a subnet on a particular interface
R1(config-if)#vrrp 23 ip 10.10.10.100 secondary
R1(config-if)#vrrp 23 ip 172.19.1.1 secondary
% warning: address is not within a subnet on this interface <---- you should configure address within a subnet on a particular interface
R1(config-if)#vrrp 23 ip 10.10.10.100 secondary
You can set VRRP group ip address the same as interface ip address. It cause VRRP priority rise up to 255 (it impossible to set manually priority value higher then 254):
R2#sh vrrp
GigabitEthernet0/0 - Group 23State is Master
Virtual IP address is 10.10.10.2
Virtual MAC address is 0000.5e00.0117
Advertisement interval is 10.000 sec
Preemption enabled
Priority is 255
Authentication MD5, key-string
Master Router is 10.10.10.2 (local), priority is 255
Master Advertisement interval is 10.000 sec
Master Down interval is 30.003 sec
7. VRRP verification commands
R1#show vrrp ?
all Include groups in disabled state
brief Brief output
interface VRRP interface status and configuration
| Output modifiers
<cr>
R1#show vrrp
GigabitEthernet0/0 - Group 23
TEST_VRRP_GROUP
State is Init
Virtual IP address is 10.10.10.10
Secondary Virtual IP address is 10.10.10.100
Secondary Virtual IP address is 172.19.1.1 (wrong subnet for this interface)
Virtual MAC address is 0000.5e00.0117
Advertisement interval is 100.000 sec
Preemption enabled, delay min 200 secs
Priority is 160 (cfgd 250)
Track object 1 state Down decrement 90
Authentication MD5, key-string
Master Router is 10.10.10.2, priority is 100
Master Advertisement interval is 10.000 sec
Master Down interval is 300.023 sec
R1#show vrrp interface gi 0/0
GigabitEthernet0/0 - Group 23
TEST_VRRP_GROUP
State is Init
Virtual IP address is 10.10.10.10
Secondary Virtual IP address is 10.10.10.100
Secondary Virtual IP address is 172.19.1.1 (wrong subnet for this interface)
Virtual MAC address is 0000.5e00.0117
Advertisement interval is 100.000 sec
Preemption enabled, delay min 200 secs
Priority is 160 (cfgd 250)
Track object 1 state Down decrement 90
Authentication MD5, key-string
Master Router is 10.10.10.2, priority is 100
Master Advertisement interval is 10.000 sec
Master Down interval is 300.023 sec
R1#sh vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Gi0/0 23 160 300023 Y Init 10.10.10.2 10.10.10.10
R1#debug vrrp ?
all Debug all VRRP information
auth VRRP authentication reporting
errors VRRP error reporting
events Protocol and Interface events
packets VRRP packet details
state VRRP state reporting
track Monitor tracking
<cr>
all Include groups in disabled state
brief Brief output
interface VRRP interface status and configuration
| Output modifiers
<cr>
R1#show vrrp
GigabitEthernet0/0 - Group 23
TEST_VRRP_GROUP
State is Init
Virtual IP address is 10.10.10.10
Secondary Virtual IP address is 10.10.10.100
Secondary Virtual IP address is 172.19.1.1 (wrong subnet for this interface)
Virtual MAC address is 0000.5e00.0117
Advertisement interval is 100.000 sec
Preemption enabled, delay min 200 secs
Priority is 160 (cfgd 250)
Track object 1 state Down decrement 90
Authentication MD5, key-string
Master Router is 10.10.10.2, priority is 100
Master Advertisement interval is 10.000 sec
Master Down interval is 300.023 sec
R1#show vrrp interface gi 0/0
GigabitEthernet0/0 - Group 23
TEST_VRRP_GROUP
State is Init
Virtual IP address is 10.10.10.10
Secondary Virtual IP address is 10.10.10.100
Secondary Virtual IP address is 172.19.1.1 (wrong subnet for this interface)
Virtual MAC address is 0000.5e00.0117
Advertisement interval is 100.000 sec
Preemption enabled, delay min 200 secs
Priority is 160 (cfgd 250)
Track object 1 state Down decrement 90
Authentication MD5, key-string
Master Router is 10.10.10.2, priority is 100
Master Advertisement interval is 10.000 sec
Master Down interval is 300.023 sec
R1#sh vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Gi0/0 23 160 300023 Y Init 10.10.10.2 10.10.10.10
R1#debug vrrp ?
all Debug all VRRP information
auth VRRP authentication reporting
errors VRRP error reporting
events Protocol and Interface events
packets VRRP packet details
state VRRP state reporting
track Monitor tracking
<cr>
R1#sh run int gi 0/0 | i vrrp
vrrp 23 description TEST_VRRP_GROUP
vrrp 23 ip 10.10.10.10
vrrp 23 ip 10.10.10.100 secondary
vrrp 23 ip 172.19.1.1 secondary
vrrp 23 timers advertise 100
vrrp 23 timers learn
vrrp 23 preempt delay minimum 200
vrrp 23 priority 250
vrrp 23 authentication md5 key-string myplaintextpass
vrrp 23 track 1 decrement 90
vrrp 23 description TEST_VRRP_GROUP
vrrp 23 ip 10.10.10.10
vrrp 23 ip 10.10.10.100 secondary
vrrp 23 ip 172.19.1.1 secondary
vrrp 23 timers advertise 100
vrrp 23 timers learn
vrrp 23 preempt delay minimum 200
vrrp 23 priority 250
vrrp 23 authentication md5 key-string myplaintextpass
vrrp 23 track 1 decrement 90
No comments:
Post a Comment