When configuring VRRP, go to these sections
for information you are interested in:
l
Introduction
to VRRP
l
Configuring
VRRP for IPv4
l
Configuring
VRRP for IPv6
l
IPv4-Based
VRRP Configuration Examples
l
IPv6-Based
VRRP Configuration Examples
l
Troubleshooting
VRRP
At present, the
interfaces that VRRP involves can only be VLAN interfaces unless otherwise
specified.
1.1
Introduction to VRRP
Normally, as shown in Figure 1-1, you can
configure a default route with the gateway as the next hop for every host on a
network segment, allowing all packets destined to the other network segments to
be sent over the default route to the gateway and then be forwarded by the
gateway. This enables hosts on a network segment to communicate with external
networks. However, when the gateway fails, all the hosts using the gateway as
the default next-hop switch fail to communicate with the external network.
Figure 1-1 LAN networking
Apparently, this approach to enabling hosts
on a network to communicate with external networks is easy to configure but it
imposes a very high requirement of performance stability on the device acting
as the gateway. A common way to improve system reliability is to use more
egress gateways, introducing the problem of routing among the multiple
egresses.
Virtual Router Redundancy Protocol (VRRP) is
an error-tolerant protocol designed to address this problem through separating
physical devices from logical devices. Deploying VRRP on multicast and
broadcast LANs such as Ethernet, you can ensure that the system can still
provide highly reliable default links without changing configurations (such as
dynamic routing protocols, route discovery protocols) when a device fails and
prevent network interruption due to a single link failure.
There are two VRRP versions: VRRPv2 and
VRRPv3. VRRPv2 is based on IPv4, while VRRPv3 is based on IPv6. The two
versions implement the same functions but provide different commands.
1.1.2
VRRP Standby Group Overview
VRRP
combines a group of switches (including a master and multiple backups) on a LAN
into a virtual router called standby group.
The VRRP standby group has the following
features:
l
A virtual router has an IP address. A host on
the LAN only needs to know the IP address of the virtual router and uses the IP
address as the next hop of the default route.
l
Every host on the LAN communicates with external
networks through the virtual router.
l
Switches in the standby group elect the gateway
according to their priorities. Once the master switch acting as the gateway
fails, the other switches in the standby group elect a new gateway to undertake
the responsibility of the failed switch, thus ensuring that the hosts in the network
segment can communicate with the external networks uninterruptedly.
Figure 1-2 Network diagram for VRRP
As shown in Figure 1-2, Switch A, Switch B, and Switch
C form a virtual router, which has its own IP address. Hosts on the Ethernet
use the virtual router as the default gateway.
The switch with the highest priority of the
three switches is elected as the master switch to act as the gateway, and the
other two are backup switches.
Caution:
l
The IP address of the virtual router can be
either an unused IP address on the segment where
l
the standby group resides or the IP address of
an interface on a switch in the standby group. In the latter case, the switch is
called the IP address owner.
l
In a VRRP standby group, there can only be one IP
address owner.
I.
VRRP priority
VRRP determines the role (master or backup)
of each switch in the standby group by priority. A switch with a higher priority
has more opportunity to become the master.
VRRP priority is in the range of 0 to 255. A
bigger number means a higher priority. Priorities 1 to 254 are configurable. Priority
0 is reserved for special uses and priority 255 for the IP address owner. When
a switch acts as the IP address owner, its priority remains 255. That is, if
there is an IP address owner in a standby group, it acts as the master as long
as it works properly.
II. Working mode
A switch in a standby group can work in one
of the following two modes:
l
Non-preemption mode
Once a switch in the standby group becomes
the master, it stays as the master as long as it operates normally, even if a
backup switch is assigned a higher priority later.
l
Preemption mode
Once a backup switch finds its priority higher
than that of the switch acting as the master, it sends VRRP advertisements to
start a new master switch election in the standby group and becomes the master.
Accordingly, the original master switch becomes a backup.
III. Authentication mode
VRRP
provides two authentication modes:
l
simple: Simple
text authentication
You can adopt the simple text authentication
mode in a network facing possible security problems. A switch sending a packet
fills the authentication key into the packet, and the switch receiving the
packet compares its local authentication key with that of the received packet. If
the two authentication keys are the same, the received VRRP packet is considered
real and valid; otherwise, the received packet is considered an invalid one.
l
md5: MD5 authentication
You can adopt MD5 authentication in a network
facing severe security problems. The switch encrypts a packet to be sent using the
authentication key and MD5 algorithm and saves the encrypted packet in the authentication
header. The switch receiving the packet uses the authentication key to decrypt the
packet and checks whether the packet is valid.
On a secure network, you need not set the authentication
mode.
1.1.3 VRRP Timers
VRRP timers include VRRP advertisement
interval timer and VRRP preemption delay timer.
I. VRRP advertisement interval
timer
The master switch in a VRRP standby group
sends VRRP advertisements periodically to inform the other switches in the
standby group that it operates properly.
You can adjust the interval of sending VRRP
advertisements by setting the VRRP advertisement interval timer. If a backup switch
receives no advertisements in three times the interval, the backup switch
regards itself as the master switch and sends VRRP advertisements to start a
new master switch election.
II. VRRP preemption delay timer
In an unstable network, a backup switch may
fail to receive the packets from the master switch due to network congestion,
thus causing the members in the group to change their states frequently. This
problem can be addressed through setting the VRRP preemption delay timer.
With the VRRP preemption delay timer set, if
a backup switch receives no advertisement in three times the advertisement
interval and then in preemption delay, it considers that the master fails. In
this case, it regards itself as the master and sends VRRP advertisements to
start a new master switch election in a standby group.
1.1.4 Format of VRRP Packets
VRRP uses multicast packets. The switch
acting as the master sends VRRP packets periodically to declare its existence.
VRRP packets are also used for checking the parameters of the virtual router
and electing the master.
I. IPv4-based VRRP packet format
Figure 1-3 IPv4-based VRRP packet format
As shown in Figure 1-3, an IPv4-based VRRP packet
consists of the following fields:
l
Version: Version number of the protocol, 2 for
VRRPv2.
l
Type: Type of the VRRP packet. Only one VRRP
packet type is present, that is, VRRP advertisement, which is represented by 1.
l
Virtual Rtr ID (VRID): Number of the virtual
router, that is, number of the standby group. It ranges from 1 to 255.
l
Priority: Priority of the switch in the standby
group, in the range 0 to 255. A greater value represents a higher priority.
l
Count IP Addrs: Number of virtual IP addresses
for the standby group. A standby group can have multiple virtual IP addresses.
l
Auth Type: Authentication type. 0 means no
authentication, 1 means simple authentication, and 2 means MD5 authentication.
l
Adver Int: Interval for sending advertisement
packets, in seconds. The default is 1.
l
Checksum: 16-bit checksum for validating the
data in VRRP packets.
l
IP Address: Virtual IP address entry of the
standby group. The allowed number is given by the Count IP Addrs field.
l
Authentication Data:
Authentication key. Currently, this field is used only for simple
authentication and is 0 for any other authentication modes.
II. IPv6-based VRRP packet format
Figure 1-4 IPv6-based VRRP packet format
As shown in Figure 1-4, an IPv6-based VRRP packet
consists of the following fields:
l
Version: Version number of the protocol, 3 for
VRRPv3.
l
Type: Type of the VRRP packet. Only one VRRP
packet type is present, that is, VRRP advertisement, which is represented by 1.
l
Virtual Rtr ID (VRID): Number of the virtual
router, that is, number of the standby group. It ranges from 1 to 255.
l
Priority: Priority of the switch in the standby
group, in the range 0 to 255. A greater value represents a higher priority.
l
Count IPv6 Addrs: Number of virtual IPv6
addresses for the standby group. A standby group can have multiple virtual IPv6
addresses.
l
Auth Type: Authentication type. 0 means no
authentication, 1 means simple authentication. VRRPv3 does not support MD5
authentication.
l
Adver Int: Interval for sending advertisement
packets, in centiseconds. The default is 100.
l
Checksum: 16-bit checksum for validating the
data in VRRPv3 packets.
l
IPv6 Address: Virtual IPv6 address entry of the
standby group. The allowed number is given by the Count IPv6 Addrs field.
l
Authentication Data:
Authentication key. Currently, this field is used only for simple
authentication and is 0 for any other authentication modes.
1.1.5 Principles
of VRRP
l
With VRRP enabled, the switches determine their
respective roles in the standby group by priority. The switch with the highest
priority becomes the master, while the others are the backups. The master sends
VRRP advertisement packets periodically to notify the backups that it is
working properly, and each of the backups starts a timer to wait for
advertisement packets from the master.
l
In preemption mode, when a backup receives a
VRRP advertisement packet, it compares the priority in the packet with that of
its own. If its priority is higher, it becomes the master; otherwise, it remains
a backup.
l
In non-preemption mode, the switch in the
standby group remains as a master or backup as long as the master does not
fail. The backup will no become the master even if the former is configured with
a higher priority.
l
If the timer of a backup expires but the backup
still does not receive any VRRP advertisement packet, it considers that the
master fails. In this case, the backup switch considers itself as the master switch
and sends VRRP advertisements to start the election process to elect a new
master switch for forwarding packets.
1.1.6 VRRP Interface Tracking
The interface tracking function expands the
backup functionality of VRRP. It provides backup not only when the interface to
which a standby group is assigned fails but also when other interfaces on the switch
become unavailable. This is achieved by tracking interfaces. When a monitored
interface goes down, the priority of the switch owning the interface is automatically
decreased by a specified value, allowing a higher priority switch in the
standby group to become the master.
I. Master/backup
In master/backup mode, only one switch, the
master, provides services. When the master fails, a new master is elected from
the original backups. This mode requires only one standby group, in which each switch
holds different priorities and the one with the highest priority becomes the
master, as shown in Figure
1-5.
Figure 1-5 VRRP in master/backup mode
At the beginning, Switch A is the master
and therefore can forward packets to external networks, while Switch B and Switch
C are backups and are thus in the state of listening. If Switch A fails, Switch
B and Switch C will elect for the new master. The new master takes over the
forwarding task to provide services to hosts on the LAN.
II. Load balancing
You can create more than one standby group
on an interface of a switch, allowing the switch to be the master of one
standby group but a backup of another at the same time.
In load balancing mode, multiple switches
provide services at the same time. This mode requires two or more standby
groups, each of which includes a master and one or more backups. The masters of
the standby groups can be assumed by different switches, as shown in Figure 1-6.
Figure 1-6 VRRP in load balancing mode
A switch can be in multiple standby groups
and hold a different priority in different group.
In Figure 1-6, three standby groups are
present:
l
Standby group 1: Switch A is the master; Switch B
and Switch C are the backups.
l
Standby group 2: Switch B is the master; Switch A
and Switch C are the backups.
l
Standby group 3: Switch C is the master; Switch A
and Switch B are the backups.
For load balancing among Switch A, Switch B,
and Switch C, hosts on the LAN need to be configured to use standby group 1, 2,
and 3 as the default gateways respectively. When configuring VRRP priorities,
ensure that each switch holds such a priority in each standby group that it
will take the expected role in the group.
1.2 Configuring VRRP for IPv4
Complete these tasks to configure VRRP for
IPv4:
1.2.2 Enabling Users to Ping Virtual IP Addresses
You can configure whether the master switch
responds to the received ICMP echo requests, that is, whether the virtual IP
address of a standby group can be successfully pinged.
Follow these steps to enable a user to
successfully ping the virtual IP addresses of standby groups:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable users to ping virtual IP address
of the standby group
|
vrrp ping-enable
|
Optional
Enabled by default.
|
Caution:
Configure this
function before creating a standby group. Otherwise, your configuration will
fail.
1.2.3 Configuring the Association Between Virtual IP Address and MAC Address
After the virtual IP address of a standup
group is associated with a MAC address, the master switch takes the configured
MAC address as the source MAC address of the packets to be sent, so that the
hosts in the internal network can learn the association between the IP address
and the MAC address and thus forward the packets to be forwarded to the other
network segments to the master switch properly.
There are two types of association between virtual
IP address and MAC address:
l
Virtual IP address is associated with virtual router
MAC address
By default, a MAC address is created for a
standby group after the standby group is created, and the virtual IP address is
associated with the virtual MAC address. With such association adopted, the
hosts in the internal network need not update the association between IP
address and MAC address when the master switch changes.
l
Virtual IP address is associated with real MAC
address of the interface
When an IP
address owner exists in a standby group, if you associate the virtual IP
address with the virtual MAC address, two MAC addresses are associated with an
IP address. In this case, you can associate the virtual IP address of the standby
group with the real MAC address, so that the packets from a host are forwarded
to the IP address owner according the real MAC address.
Follow these
steps to configure the association between MAC address and virtual IP address:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Configure the association between virtual
IP address and MAC address
|
vrrp method { real-mac | virtual-mac }
|
Optional
The virtual MAC address is associated
with the virtual IP address by default.
|
Caution:
You should
configure this function before creating a standby group. Otherwise, you cannot
modify the mapping between the virtual IP address and the MAC address.
1.2.4 Creating Standby Group and Configuring Virtual IP Address
You need to configure a virtual IP address
for a standby group when creating the standby group. A VRRP standby group is
created automatically when you specify the first virtual IP address for the
standby group. If you specify a virtual IP address for the standby group later,
the virtual IP address is only added to the virtual IP address list of the VRRP
standby group.
I. Configuration prerequisites
Before creating standby group and
configuring virtual IP address, you should first configure the IP address of
the interface and ensure that the virtual IP address to be configured is in the
same network segment as the IP address of the interface.
II. Configuration procedure
Follow these steps to create standby group
and configure virtual IP address:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enter the
specified interface view
|
interface
interface-type interface-number
|
—
|
|
Create
standby group and configure virtual IP address of the standby group
|
vrrp
vrid virtual-router-id virtual-ip
virtual-address
|
Required
Standup
group is not created by default.
|
Caution:
l
The maximum number of standby groups on an interface
and the maximum number of virtual IP addresses in a standby group vary by
device.
l
A standby group is removed after you remove all
the virtual IP addresses in it. In addition, configurations on that standby
group no longer take effect.
l
The virtual IP address of the virtual router can
be either an unused IP address on the segment where the standby group resides
or the IP address of an interface on a switch in the standby group. In the
latter case, the switch is called the IP address owner.
l
The virtual IP address of the standby group
cannot be 0.0.0.0, 255.255.255.255, loopback address, non A/B/C address and
other illegal IP addresses such as 0.0.0.1.
l
Only when the configured virtual IP address and
the interface IP address belong to the same segment and are legal host
addresses can the standby group operate normally. If the configured virtual IP
address and the interface IP address do not belong to the same network segment,
or the configured IP address is the network address or network broadcast
address of the network segment that the interface IP address belongs to, the
state of the standby group is always initialize though you can perform
the configuration successfully, that is, VRRP does not take effect in this
case.
1.2.5 Configuring Standby Group Priority, Preemption Mode and Interface
Tracking
I. Configuration prerequisites
Before you configure these features, you
should first create a standby group on the interface and configure virtual IP
address for it.
II. Configuration procedure
By
configuring switch priority, preemption mode and interface tracking, you can
decide which switch in the standby group serves as the Master.
Follow these
steps to configure standby group priority, preemption mode and interface
tracking:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter interface view
|
interface interface-type interface-number
|
—
|
|
Configure switch priority in the standby
group
|
vrrp vrid virtual-router-id priority priority-value
|
Optional
100 by default.
|
|
Configure the switch in the standby group
to work in preemption mode and configure preemption delay
|
vrrp vrid virtual-router-id preempt-mode [
timer delay delay-value ]
|
Optional
The switch in the standby group works in
preemption mode and the preemption delay is 0 seconds by default.
|
|
Configure the interface to be tracked
|
vrrp vrid virtual-router-id track interface interface-type interface-number [
reduced priority-reduced ]
|
Optional
No interface is being tracked by default.
|
Caution:
l
The priority of an IP address owner is always
255 and not configurable.
l
Interface tracking is not configurable to an IP
address owner.
l
The priority of a device is restored if the
state of the interface under tracking changes from down to up.
1.2.6 Configuring VRRP Packet Attributes
I. Configuration prerequisites
Before configuring the relevant attributes
of VRRP packets, you should first create the standby group and configure the
virtual IP address.
II. Configuration procedure
Follow these steps to configure VRRP packet
attributes:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enter the
specified interface view
|
interface
interface-type interface-number
|
—
|
|
Configure
the authentication mode and authentication key when the standby groups send
and receive VRRP packets
|
vrrp
vrid virtual-router-id authentication-mode { md5 | simple } key
|
Optional
Authentication
is not performed by default
|
|
Configure the time interval for the
Master in the standby group to send VRRP advertisement
|
vrrp vrid virtual-router-id timer advertise adver-interval
|
Optional
1 second by default
|
|
Disable TTL check on VRRP packets
|
vrrp un-check ttl
|
Optional
Enabled by default
Do not create a standby group before
executing this command.
|
l
You may configure different authentication modes
and authentication keys for the standby groups on an interface. However, the
members of the same standby group must use the same authentication mode and
authentication key.
l
Factors like excessive traffic or different
timer setting on switches can cause the Backup timer to time-out abnormally and
trigger a change of the state. To solve this problem, you can prolong the time
interval to send VRRP packets and configure a preemption delay.
1.2.7 Displaying and Maintaining VRRP for IPv4
|
To do…
|
Use the command…
|
Remarks
|
|
Display VRRP status
|
display vrrp
[ verbose ] [ interface interface-type interface-number
[ vrid virtual-router-id ] ]
|
Available in any view
|
|
Display VRRP statistics
|
display vrrp statistics [ interface interface-type interface-number
[ vrid virtual-router-id ] ]
|
Available in any view
|
|
Remove
VRRP statistics
|
reset vrrp
statistics [ interface interface-type
interface-number [ vrid virtual-router-id ] ]
|
Available in
user view
|
1.3 Configuring VRRP for IPv6
Complete these tasks to configure VRRP for
IPv6:
1.3.2 Enabling Users to Ping Virtual IPv6 Addresses
You can configure whether the master switch
responds to the received ICMPv6 echo requests, that is, whether the virtual IPv6
address of a standby group can be pinged through.
Follow these steps to enable a user to
successfully ping the virtual IPv6 addresses of standby groups:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable a user to ping virtual IPv6
address of the standby group
|
vrrp ipv6 ping-enable
|
Optional
Enabled by default
|
Caution:
You should configure this function before creating a standby group.
Otherwise, you cannot ping the virtual IPv6 addresses of standby groups.
1.3.3 Configuring the Association Between Virtual IPv6 Address and MAC Address
After the virtual
IPv6 address of a standup group is associated with the MAC address, the master switch
takes the configured MAC address as the source MAC address of the packets to be
sent, so that the hosts in the internal network can learn the association between
the IPv6 address and the MAC address and thus forward the packets to be
forwarded to the other network segments to the master switch properly.
There are two types of association between virtual
IPv6 address and MAC address:
l
Virtual IPv6 address is associated with virtual
router MAC address
By default, a MAC address is created for a
standby group after the standby group is created, and the virtual IPv6 address
is associated with the virtual MAC address. With such association adopted, the
hosts in the internal network need not update the association between IPv6
address and MAC address when the master switch changes.
l
Virtual IPv6 address is associated with real MAC
address of the interface
When an IP address owner exists in a
standby group, if you associate the virtual IPv6 address with the virtual MAC
address, two MAC addresses are associated with an IPv6 address. In this case,
you can associate the virtual IPv6 address of the standby group with the real
MAC address, so that the packets from a host is forwarded to the IP address
owner according the real MAC address.
Follow these steps to configure the
association between MAC address and virtual IPv6 address:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Configure the association between virtual
IPv6 address and MAC address
|
vrrp ipv6 method { real-mac | virtual-mac }
|
Optional
The virtual MAC address of the standby
group is associated with the virtual IPv6 address by default.
|
Caution:
You should
configure this function before creating a standby group. Otherwise, you cannot
modify the mapping between the virtual IPv6 address and the MAC address.
1.3.4 Creating Standby Group and Configuring Virtual IPv6 Address
You need to configure a virtual IPv6
address for a standby group when creating the standby group. A VRRP standby
group is created automatically when you specify the first virtual IPv6 address
for the standby group. If you specify a virtual IPv6 address for the standby
group later, the virtual IPv6 address is only added to the virtual IPv6 address
list of the VRRP standby group.
I. Configuration prerequisites
Before creating standby group and
configuring virtual IPv6 address, you should first configure the IPv6 address
of the interface and ensure that the virtual IPv6 address to be configured is
in the same network segment as the IPv6 address of the interface.
II. Configuration procedure
Follow these steps to create standby group
and configure its virtual IPv6 address:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter the specified interface view
|
interface interface-type interface-number
|
—
|
|
Create standby group and configure its
virtual IPv6 address
|
vrrp ipv6 vrid virtual-router-id virtual-ip virtual-address
[ link-local ]
|
Required
No standby group is created by default.
The first virtual IPv6 address of the
standby group must be a link local address. Only one link local address is
allowed in a standby group, and must be removed the last.
|
Caution:
l
The maximum number of standby groups on an
interface and the maximum number of virtual IPv6 addresses in a standby group
vary by device.
l
A standby group is removed after you remove all
the virtual IPv6 addresses in it. In addition, configurations on that standby
group no longer take effect.
1.3.5 Configuring Standby Group Priority, Preemption Mode and Interface
Tracking
I. Configuration prerequisites
Before configuring these features, you
should first create the standby group and configure the virtual IPv6 address.
II. Configuration procedure
By configuring standby group priority,
preemption mode and interface tracking, you can decide which switch in the
standby group serves as the Master.
Follow these steps to configure standby
group priority, preemption mode and interface tracking:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter the specified interface view
|
interface interface-type interface-number
|
—
|
|
Configure the priority of the switch in
the standby group
|
vrrp ipv6 vrid virtual-router-id priority priority-value
|
Optional
|
