When configuring VRRP, go to these sections
for information you are interested in:
l
Introduction
to VRRP
l
Configuring
VRRP for IPv4
l
Configuring
VRRP for IPv6
l
IPv4-Based
VRRP Configuration Examples
l
IPv6-Based
VRRP Configuration Examples
l
Troubleshooting
VRRP
l
The term router and the icon router in this
document refer to a router in a generic sense or an S9500 series routing switch
running routing protocols.
l
At present, the interfaces that VRRP involves
can only be VLAN interfaces for S9500 series switches.
1.1 Introduction
to VRRP
This section covers these topics:
l
Overview
l
VRRP
Group Overview
l
VRRP
Timers
l
Format
of VRRP Packets
l
Principles
of VRRP
l
VRRP
Interface Tracking
l
VRRP
Application (Taking IPv4-Based VRRP for Example)
1.1.1 Overview
As shown in Figure 1-1, you can configure a default
route with the gateway as the next hop for every host on a network segment,
allowing all packets destined to other network segments to be sent over the
default route to the gateway and then be forwarded by the gateway. This enables
hosts on a network segment to communicate with external networks. However, when
the gateway fails, all the hosts using the gateway as the default next-hop
router are isolated from the external network.
Figure 1-1 Common LAN networking
Apparently, this approach to enabling hosts
on a network to communicate with external networks is easy to configure but it
imposes a very high requirement of performance stability on the device acting
as the gateway. A common way to improve system reliability is to use more
egress gateways, introducing the problem of routing among the multiple
egresses.
Virtual Router Redundancy Protocol (VRRP)
was designed to address this problem. VRRP can add routers that can act as
network gateways to a VRRP group, forming a virtual router. Routers in the VRRP
group elect a master through the VRRP election mechanism to take the
responsibility of a gateway, and hosts on a LAN only need to configure the
virtual router as their default network gateway.
VRRP is an error-tolerant protocol, which
improves the network reliability and simplifies configurations on hosts. Deploying
VRRP on multicast and broadcast LANs such as Ethernet, you can ensure that the
system can still provide highly reliable default links without changing
configurations (such as dynamic routing protocols, route discovery protocols) when
a device fails and prevent network interruption due to a single link failure.
There are two VRRP versions: VRRPv2 and
VRRPv3. VRRPv2 is based on IPv4, while VRRPv3 is based on IPv6. The two
versions implement the same functions but provide different commands.
1.1.2 VRRP Group Overview
This section introduces some concepts used
throughout this document:
l
VRRP
group
l
VRRP
priority
l
Working
mode
l
Authentication
mode
I. VRRP group
VRRP combines a group of routers on a LAN
(including a master and multiple backups) into a virtual router called VRRP group.
The VRRP group has the following features:
l
A virtual router has an IP address. A host on
the LAN only needs to know the IP address of the virtual router and uses the IP
address as the next hop of the default route.
l
Every host on the LAN communicates with external
networks through the virtual router.
l
Routers in the VRRP group elect the gateway
according to their priorities. Once the master acting as the gateway fails, the
other routers in the VRRP group elect a new gateway to undertake the
responsibility of the failed router, thus ensuring that the hosts in the network
segment can communicate with the external networks uninterruptedly.
Figure 1-2 Network diagram for VRRP
As shown in Figure 1-2, Router A, Router B, and Router
C form a virtual router, which has its own IP address. Hosts on the Ethernet
use the virtual router as the default gateway.
The router with the highest priority of the
three routers is elected as the master to act as the gateway, and the other two
are backups.
Caution:
l
The IP address of the virtual router can be
either an unused IP address on the segment where the VRRP group resides or the
IP address of an interface on a router in the VRRP group. In the latter case,
the router is called the IP address owner.
l
In a VRRP group, there can only be one IP address
owner.
II.
VRRP priority
VRRP determines the role (master or backup)
of each router in the VRRP group by priority. A router with a higher priority
has more opportunity to become the master.
VRRP priority that can be configured by users is in the range of 1
to 254. A bigger number means a higher priority. Priority 0 is reserved for
special uses and priority 255 for the IP address owner. When a router acts as
the IP address owner, its priority remains 255. That is, if there is an IP
address owner in a VRRP group, it acts as the master as long as it works
properly.
A router in a VRRP group can work in one of
the following two modes:
l
Non-preemptive mode
Once a router in the VRRP group becomes the
master, it stays as the master as long as it operates normally, even if a
backup is assigned a higher priority later.
l
Preemptive mode
Once a backup finds its priority higher
than that of the router acting as the master, it sends VRRP advertisements to
start a new master election in the VRRP group and becomes the master.
Accordingly, the original master becomes a backup.
On a secure network, you can configure the
routers not to perform authentication. In this case, neither the routers
sending VRRP packets nor the routers receiving the VRRP packets perform authentication.
On a network where potential threats are
present, you can configure VRRP authentication to enhance the network security.
VRRP provides two authentication modes:
l
simple: Simple
text authentication
A router sending a packet fills the authentication
key into the packet, and the router receiving the packet compares its local authentication
key with that of the received packet. If the two authentication keys are the
same, the received VRRP packet is considered real and valid; otherwise, the
received packet is considered an invalid one.
l
md5: MD5
authentication
The router encrypts a packet to be sent
using the authentication key and MD5 algorithm and saves the encrypted packet
in the authentication header. The router receiving the packet uses the
authentication key to decrypt the packet and checks whether the packet is
valid.
VRRP timers include VRRP
advertisement interval timer and VRRP preemption delay timer.
I. VRRP advertisement interval
timer
The master in a VRRP group sends VRRP advertisements
periodically to inform the other routers in the VRRP group that it operates
properly.
You can adjust the interval of sending VRRP
advertisements by setting the VRRP advertisement interval timer. If a backup
receives no advertisements in a period three times the interval, the backup
regards itself as the master and sends VRRP advertisements to start a new
master election.
II. VRRP preemption delay timer
In an unstable network, a backup may fail
to receive the packets from the master due to network congestion, thus causing
the members in the group to change their states frequently. This problem can be
addressed through setting the VRRP preemption delay timer.
With the VRRP preemption delay timer set,
if a backup receives no advertisement in a period three times the advertisement
interval and then in preemption delay, it considers that the master fails. In
this case, it regards itself as the master and sends VRRP advertisements to
start a new master election in a VRRP group.
1.1.4 Format of VRRP Packets
VRRP uses multicast packets. The router
acting as the master sends VRRP packets periodically to declare its existence.
VRRP packets are also used for checking the parameters of the virtual router
and electing the master.
I. IPv4-based VRRP packet format
Figure 1-3
IPv4-based VRRP packet format
As shown in Figure 1-3, an IPv4-based VRRP packet
consists of the following fields:
l
Version: Version number of the protocol, 2 for
VRRPv2.
l
Type: Type of the VRRP packet. Only one VRRP
packet type is present, that is, VRRP advertisement, which is represented by 1.
l
Virtual Rtr ID (VRID): Serial number of the
virtual router, that is, serial number of the VRRP group. It ranges from 1 to
255.
l
Priority: Priority of the router in the VRRP
group, in the range 0 to 255. A greater value represents a higher priority.
l
Count IP Addrs: Number of virtual IP addresses
for the VRRP group. A VRRP group can have multiple virtual IP addresses.
l
Auth Type: Authentication type. 0 means no
authentication, 1 means simple authentication, and 2 means MD5 authentication.
l
Adver Int: Interval for sending advertisement
packets, in seconds. The default is 1.
l
Checksum: 16-bit checksum for validating the
data in VRRP packets.
l
IP Address: Virtual IP address entry of the VRRP
group. The allowed number is given by the Count IP Addrs field.
l
Authentication Data:
Authentication key. Currently, this field is used only for simple
authentication and is 0 for any other authentication modes.
II. IPv6-based VRRP packet format
Figure 1-4
IPv6-based VRRP packet format
As shown in Figure 1-4, an IPv6-based VRRP packet
consists of the following fields:
l
Version: Version number of the protocol, 3 for
VRRPv3.
l
Type: Type of the VRRP packet. Only one VRRP
packet type is present, that is, VRRP advertisement, which is represented by 1.
l
Virtual Rtr ID (VRID): Serial number of the
virtual router, that is, serial number of the VRRP group. It ranges from 1 to
255.
l
Priority: Priority of the router in the VRRP
group, in the range 0 to 255. A greater value represents a higher priority.
l
Count IPv6 Addrs: Number of virtual IPv6
addresses for the VRRP group. A VRRP group can have multiple virtual IPv6
addresses.
l
Auth Type: Authentication type. 0 means no
authentication, 1 means simple authentication. VRRPv3 does not support MD5
authentication.
l
Adver Int: Interval for sending advertisement
packets, in centiseconds. The default is 100.
l
Checksum: 16-bit checksum for validating the
data in VRRPv3 packets.
l
IPv6 Address: Virtual IPv6 address entry of the VRRP
group. The allowed number is given by the Count IPv6 Addrs field.
l
Authentication Data:
Authentication key. Currently, this field is used only for simple
authentication and is 0 for any other authentication modes.
1.1.5 Principles
of VRRP
1)
With VRRP enabled, the routers determine their
respective roles in the VRRP group by priority. The router with the highest
priority becomes the master, while the others are the backups. The master sends
VRRP advertisement packets periodically to notify the backups that it is
working properly, and each of the backups starts a timer to wait for
advertisement packets from the master.
2)
In preemptive mode, when a backup receives a
VRRP advertisement, it compares the priority in the packet with that of its
own. If its priority is lower, it remains a backup; otherwise, it becomes the
master.
3)
In non-preemptive mode, the router in the VRRP
group remains as a master or backup as long as the master does not fail. The
backup will no become the master even if the former is configured with a higher
priority.
4)
If the timer of a backup expires but the backup
still does not receive any VRRP advertisement packet, it considers that the
master fails. In this case, the backup considers itself as the master and sends
VRRP advertisements to start the election process to elect a new master for
forwarding packets.
1.1.6 VRRP Interface Tracking
The VRRP interface tracking function
expands the backup functionality of VRRP. It provides backup not only when the
interface to which a VRRP group is assigned fails but also when other
interfaces on the router become unavailable. When a monitored interface goes
down, the priority of the router owning the interface is automatically
decreased by a specified value, allowing a higher priority router in the
VRRP group to become the master.
I. Master/backup
In master/backup mode, only one router, the
master, provides services. When the master fails, a new master is elected from
the original backups. This mode requires only one VRRP group, in which each
router holds different priorities and the one with the highest priority becomes
the master, as shown in Figure
1-5.
Figure 1-5 VRRP in master/backup mode
At the beginning, Router A is the master
and therefore can forward packets to external networks, while Router B and Router
C are backups and are thus in the state of listening. If Router A fails, Router
B and Router C will elect for the new master. The new master takes over the
forwarding task to provide services to hosts on the LAN.
II. Load balancing
You can create more than one VRRP group on
an interface of a router, allowing the router to be the master of one VRRP
group but a backup of another at the same time.
In load balancing mode, multiple routers
provide services at the same time. This mode requires two or more VRRP groups,
each of which includes a master and one or more backups. The masters of the VRRP
groups can be assumed by different routers, as shown in Figure 1-6.
Figure 1-6 VRRP in load balancing mode
A router can be in multiple VRRP groups and
hold a different priority in different group.
In Figure 1-6, three VRRP groups are present:
l
VRRP group 1: Router A is the master; Router B
and Router C are the backups.
l
VRRP group 2: Router B is the master; Router A
and Router C are the backups.
l
VRRP group 3: Router C is the master; Router A
and Router B are the backups.
For load balancing among Router A, Router B,
and Router C, hosts on the LAN need to be configured to use VRRP group 1, 2,
and 3 as the default gateways respectively. When configuring VRRP priorities,
ensure that each router holds such a priority in each VRRP group that it will
take the expected role in the group.
1.2 Configuring VRRP for IPv4
Complete these tasks to configure VRRP for
IPv4:
Caution:
VRRP is not
supported on the VLAN interfaces of Super VLAN. Do not configure VRRP on this
type of interfaces.
You can configure that the master of a VRRP
group responds to the received ICMP echo requests, that is, the virtual IP
address of the VRRP group can be successfully pinged.
Follow these steps to enable a user to
successfully ping the virtual IP addresses of VRRP groups:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable users to ping virtual IP address
of the VRRP group
|
vrrp ping-enable
|
Optional
Enabled by default.
|
Caution:
Configure this
function before creating a VRRP group. Otherwise, your configuration will fail.
1.2.3 Configuring the Association Between Virtual IP Address and MAC Address
After the virtual IP address of a VRRP
group is associated with a MAC address, the master takes the configured MAC
address as the source MAC address of the packets to be sent, so that the hosts
in the internal network can learn the association between the IP address and
the MAC address and thus forward the packets to be forwarded to the other
network segments to the master properly.
There are two types of association between virtual
IP address and MAC address:
l
Virtual IP address is associated with virtual
router MAC address
By default, a MAC address is created for a
VRRP group after the VRRP group is created, and the virtual IP address is
associated with the virtual MAC address. With such association adopted, the
hosts in the internal network need not update the association between IP
address and MAC address when the master changes.
l
Virtual IP address is associated with real MAC
address of the interface
When an IP address owner exists in a VRRP
group, if you associate the virtual IP address with the virtual MAC address,
two MAC addresses are associated with an IP address. In this case, you can
associate the virtual IP address of the VRRP group with the real MAC address,
so that the packets from a host are forwarded to the IP address owner according
the real MAC address.
Follow these steps to configure the
association between virtual IP address and MAC address:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Configure the association between MAC
address and virtual IP address
|
vrrp method { real-mac | virtual-mac }
|
Optional
The virtual MAC address is associated
with the virtual IP address by default.
|
Caution:
You need to configure
the association before creating a VRRP group. After a VRRP group is created, you
cannot modify the association between the virtual IP address and the MAC
address.
1.2.4 Creating VRRP Group and Configuring Virtual IP Address
You need to configure a virtual IP address
for a VRRP group when creating the VRRP group. If the interface connects to
multiple sub-networks, you can configure multiple virtual IP addresses for the
VRRP group to realize router backup on different sub-networks. A VRRP group is
created automatically when you specify the first virtual IP address for the
VRRP group. If you specify a virtual IP address for the VRRP group later, the
virtual IP address is only added to the virtual IP address list of the VRRP
group.
Caution:
It is not
recommended to create VRRP groups on the VLAN interface of a super VLAN.
Otherwise, network performance may be affected.
I. Configuration prerequisites
Before creating VRRP group and configuring
virtual IP address, you should first configure the IP address of the interface
and ensure that the virtual IP address to be configured is in the same network
segment as the IP address of the interface.
II. Configuration procedure
Follow these steps to create VRRP group and
configure virtual IP address:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN interface view
|
interface interface-type interface-number
|
—
|
|
Create a VRRP group and configure virtual
IP address of the VRRP group
|
vrrp vrid virtual-router-id
virtual-ip virtual-address
|
Required
Standup group is not created by default.
|
Caution:
l
For S9500 series switches, the maximum number of
VRRPv2 VRRP groups on an interface is 16, the maximum number of virtual IP
addresses in a VRRP group is 16 and the maximum number of VRRP groups on a
switch is 96.
l
A VRRP group is removed after you remove all the
virtual IP addresses in it. In addition, configurations on that VRRP group no
longer take effect.
l
Removal of the VRRP group on the IP address
owner will cause IP address collision. In such a case, it is recommended to
modify the IP address of the interface on the IP address owner to resolve the
collision.
l
The virtual IP address of the VRRP group cannot
be 0.0.0.0, 255.255.255.255, loopback address, non A/B/C address and other
illegal IP addresses such as 0.0.0.1.
l
Only when the configured virtual IP address and
the interface IP address belong to the same segment and are legal host addresses
can the VRRP group operate normally. If the configured virtual IP address and
the interface IP address do not belong to the same network segment, or the
configured IP address is the network address or network broadcast address of
the network segment to which the interface IP address belongs, the state of the
VRRP group is always initialize, though you can perform the
configuration successfully, that is, VRRP does not take effect in this case.
1.2.5 Configuring Priority, Preemptive Mode and Interface Tracking for a VRRP Group
I. Configuration prerequisites
Before you configure these features, you
should first create a VRRP group on the interface and configure virtual IP
address for it.
II. Configuration procedure
By configuring priority, preemption mode
and interface tracking for a VRRP group, you can decide which switch in the VRRP
group serves as the Master.
Follow these steps to configure priority,
preemption mode and interface tracking for a VRRP group:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN interface view
|
interface interface-type interface-number
|
—
|
|
Configure switch priority in the VRRP
group
|
vrrp vrid virtual-router-id priority priority-value
|
Optional
100 by default.
|
|
Configure the switch in the VRRP group to
work in preemption mode and configure preemption delay
|
vrrp vrid virtual-router-id preempt-mode [
timer delay delay-value ]
|
Optional
The switch in the VRRP group works in
preemption mode and the preemption delay is 0 seconds by default.
|
|
Configure the interface to be tracked
|
vrrp vrid virtual-router-id track interface interface-type interface-number [
reduced priority-reduced ]
|
Optional
No interface is being tracked by default.
|
Caution:
l
The running priority of an IP address owner is
always 255 and you do not need to configure it. An IP address owner always
works in the preemptive mode.
l
Interface tracking is not configurable on an IP
address owner.
l
Tracked interfaces can only be VLAN interfaces.
l
The priority of a device is restored if the
state of the interface under tracking changes from down to up.
1.2.6 Configuring VRRP Packet Attributes
I. Configuration prerequisites
Before configuring the relevant attributes
of VRRP packets, you should first create the VRRP group and configure the
virtual IP address.
II. Configuration procedure
Follow these steps to configure VRRP packet
attributes:
|
To do...
|
Use the command...
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter VLAN interface view
|
interface interface-type interface-number
|
—
|
|
Configure the authentication mode and
authentication key when the VRRP groups send and receive VRRP packets
|
vrrp vrid virtual-router-id authentication-mode
{ md5 | simple } key
|
Optional
Authentication is not performed by
default
|
|
Configure the time interval for the
Master in the VRRP group to send VRRP advertisement
|
vrrp vrid virtual-router-id timer advertise adver-interval
|
Optional
1 second by default
|
|
Disable TTL check on VRRP packets
|
vrrp un-check ttl
|
Optional
Enabled by default
|
l
You may configure different authentication modes
and authentication keys for the VRRP groups on an interface. However, the
members of the same VRRP group must use the same authentication mode and
authentication key.
l
Factors like excessive traffic or different
timer setting on switches can cause the Backup timer to time-out abnormally and
trigger a change of the state. To solve this problem, you can prolong the time
interval to send VRRP packets and configure a preemption delay.
1.2.7 Enabling the Trap Function of VRRP
After the trap function is enabled for a
VRRP module, the VRRP module will generate traps with severity level errors
to report its key events. The generated traps will be sent to the information
center of the device, where you can configure whether to output the trap
information and the output destination. For information center configurations,
refer to Information Center Configuration in the System Volume.
Follow these steps to enable the trap
function of VRRP:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable the trap function of VRRP
|
snmp-agent trap enable vrrp [ authfailure | newmaster ]
|
Optional
Enabled by default.
|
For detailed
description on the snmp-agent trap enable vrrp command, refer to command
snmp-agent trap enable in SNMP Commands in the System Volume.
|
To do…
|
Use the command…
|
Remarks
|
|
Display VRRP status
|
display vrrp
[ verbose ] [ interface interface-type interface-number
[ vrid virtual-router-id ] ]
|
Available in any view
|
|
Display VRRP statistics
|
display vrrp statistics [ interface interface-type interface-number
[ vrid virtual-router-id ] ]
|
Available in any view
|
|
Remove VRRP statistics
|
reset vrrp statistics [ interface interface-type interface-number [ vrid
virtual-router-id ] ]
|
Available in user view
|
1.3 Configuring VRRP for IPv6
Complete these tasks to configure VRRP for
IPv6:
Caution:
VRRP is not
supported on the VLAN interfaces of Super VLAN. Do not configure VRRP on this
type of interfaces.
1.3.2 Enabling Users to Ping Virtual IPv6 Addresses of VRRP Groups
You can configure whether the master responds
to the received ICMPv6 echo requests, that is, whether the virtual IPv6 address
of a VRRP group can be successfully pinged.
Follow these steps to enable a user to
successfully ping the virtual IPv6 addresses of VRRP groups:
