Topic: tech juniper jir prev next

tech juniper jir > 14: VRRP: Virtual Router Redundancy Protocol

14: VRRP: Virtual Router Redundancy Protocol

VRRP is defined in RFC2338.

Implementing VRRP with Junos

Any router participating in VRRP is referred to as a VRRP router. The master router is the currently active router. The master router is responsible for packet forwarding and responding to ARP requests. A backup router is available to accept the role of master router if a failure occurs. Multiple backup routers may exist. The virtual router is a virtual entity that functions as the default gateway on the LAN.

VRRP Communication

VRRP uses a common advertisement packet. VRRP communications are encapsulated in IP. VRRP uses the IANA assigned multicast address 224.0.0.18 for all VRRP routers. Packets use a TTL of 255 to ensure that VRRP packets are not forwarded outside of the local subnet.

By default, VRRP announcements use a set interval of one second. This can be configured in the range 1-255 seconds. Sub-second intervals are supported using the fast-interval configuration option, taking a value 1-999ms.

VRRP requires that speakers be configured with the same value for VRID and authentication. If any values do not match, the VRRP packets will be discarded.

The virtual router uses a virtual MAC address for LAN communications. The format is 00-00-5E-00-01-<VRID>.

The master router is elected using priority value. Higher values are better. The router that owns the virtual router’s IP address must be set to 255.

VRRP States

A VRRP router may be in one of four states: initialise, master, backup, transition.

Routers forward traffic only in the master state. The transition state only occurs briefly when a router is switching between master and backup states.

Junos Configurations

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.2/24 {
                    vrrp-group 10 {
                        virtual-address 192.168.1.1;
                        priority 100;
                    }
                }
            }
        }
    }
}

Use the track option to monitor the state of the specified interface, usually the WAN interface, or route, to reduce the priority value for the VRRP group if the interface or route becomes unavailable. This may trigger a mastership change, to make sure that a router with an active route becomes the master.

The accept-data configuration option allows a VRRP router to respond to ICMP requests on the virtual IP address even when it is not in the master state. This actually violates RFC2338.

authentication-type and authentication-key options should be used in environments with security concerns. The md5 type is recommended because it encrypts VRRP communications.

Preemption can be disabled with no-preempt.

When multiple VRRP groups are defined, vrrp-inherit-from causes groups to inherit configuration from others, simplifying configuration of authentication and intervals. This is part of the protocol and reduces network overhead.

Monitoring VRRP

show vrrp summary lists interfaces with VRRP enabled.