No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Principles

Principles

This section describes the implementation of VRRP.

Basic Concepts of VRRP

As shown in Figure 11-29, HostA is dual-homed to Switch ModuleA and Switch ModuleB through the switch. Switch ModuleA and Switch ModuleB constitute a VRRP group so that they are considered as a virtual router for link redundancy.

Figure 11-29 VRRP group

VRRP can be deployed on a network shown in Figure 11-29. VRRP involves the following entities:

  • VRRP router: device running VRRP. It may join one or more virtual routers, Switch ModuleA and Switch ModuleB are VRRP routers.

  • Virtual router: VRRP group. It consists of one master and multiple backups. The VRRP group is used as the default gateway on a LAN. Switch ModuleA and Switch ModuleB constitute a virtual router.

  • Virtual router master: VRRP device that forwards packets. Switch ModuleA is the virtual router master.

  • Virtual router backup: a group of VRRP devices that do not forward packets. When the master is faulty, a backup with the highest priority switches to the master. Switch ModuleB is the virtual router backup.

  • VRID: virtual router ID. The VRID of the virtual router composed of Switch ModuleA and Switch ModuleB is 1.

  • Virtual IP address: IP address of a virtual router. A virtual router can be assigned one or more virtual IP addresses. Virtual IP addresses are configurable. The virtual IP address of the virtual router composed of Switch ModuleA and Switch ModuleB is 10.1.1.10/24.

  • IP address owner: VRRP device that uses an IP address of a virtual router as the actual interface address. If an IP address owner is available, it usually functions as the virtual router master. The interface address of Switch ModuleA and the IP address of the virtual router are both 10.1.1.10/24, so Switch ModuleA is the IP address owner.

  • Virtual MAC address: MAC address that is generated by the virtual router based on the VRID. The virtual router sends ARP Reply packets with the virtual MAC address but not the interface MAC address. The VRID of the virtual router composed of Switch ModuleA and Switch ModuleB is 1, so the MAC address of the VRRP group is 00-00-5E-00-01-01.

VRRP Advertisement Packets

VRRP Advertisement packets are sent to notify all backups in a VRRP group of the master's priority and status.

VRRP Advertisement packets are encapsulated into IP packets and sent to the VRRP virtual IP address. In the IP packet header, the source address is the primary IP address of the interface that sends the packets (the primary IP address is not the virtual IP address), the destination address is 224.0.0.18, the TTL is 255, and the protocol number is 112.
NOTE:

The primary IP address is selected from one of actual IP addresses of interfaces. Usually, it is the first configured IP address.

VRRP has two versions: VRRPv2 and VRRPv3. VRRPv2 applies to only the IPv4 network, and VRRPv3 applies to IPv4 and IPv6 networks.

VRRP is classified into VRRP for IPv4 and VRRP for IPv6 (VRRP6) by network type. VRRP for IPv4 supports VRRPv2 and VRRPv3, and VRRP for IPv6 supports only VRRPv3.

VRRP Advertisement Packet Formats

Figure 11-30 shows the VRRPv2 Advertisement packet format, and Figure 11-31 shows the VRRPv3 Advertisement packet format.

Figure 11-30 Format of a VRRPv2 Advertisement packet

Figure 11-31 Format of a VRRPv3 Advertisement packet
Table 11-12 describes fields in a VRRP Advertisement packet.
Table 11-12 Description of fields in a VRRP Advertisement packet
Field Description
VRRPv2 VRRPv3
Version VRRP protocol version. The value is 2. VRRP protocol version. The value is 3.
Type VRRP Advertisement packet type. The value 1 indicates an Advertisement packet. VRRP Advertisement packet type. The value 1 indicates an Advertisement packet.
Virtual Rtr ID (VRID) Virtual router ID. The value ranges from 1 to 255. Virtual router ID. The value ranges from 1 to 255.
Priority Priority of the master in a VRRP group. The value ranges from 0 to 255. The value 0 indicates that the device stops participating in the VRRP group so that the backup with the highest priority can become the master immediately. The value 255 is reserved for the IP address owner. The default value is 100. Priority of the master in a VRRP group. The value ranges from 0 to 255. The value 0 indicates that the device stops participating in the VRRP group so that the backup with the highest priority can become the master immediately. The value 255 is reserved for the IP address owner. The default value is 100.
Count IP Addrs/Count IPvX Addr Number of virtual IPv4 addresses in the VRRP group. Number of virtual IPv4 or IPv6 addresses in the VRRP group.
Auth Type Authentication mode. There are three authentication modes:
  • 0: Non Authentication

  • 1: Simple Text Password

  • 2: IP Authentication Header (MD5 authentication)

-
Adver Int/Max Adver Int Interval at which VRRP Advertisement packets are sent, in seconds. The default value is 1. Interval at which VRRP Advertisement packets are sent, in centiseconds. The default value is 100 (1 second).
Checksum 16-bit checksum, which is used to detect data damage in VRRP Advertisement packets. 16-bit checksum, which is used to detect data damage in VRRP Advertisement packets.
IP Address/IPvX Address(es) Virtual IPv4 address in the VRRP group. The Count IP Addrs field determines the number of virtual IPv4 addresses in the VRRP group. Virtual IPv4 or IPv6 address in the VRRP group. The Count IPvX Addrs field determines the number of virtual IPv4 or IPv6 addresses in the VRRP group.
Authentication Data Authentication key. This field is used only in simple authentication and MD5 authentication modes. In other authentication modes, this field is filled with 0. -
rsvd - Reserved. The value must be 0.
VRRPv2 and VRRPv3 have the following differences:
  • Support different networks. VRRPv3 applies to IPv4 and IPv6 networks, whereas VRRPv2 applies to only the IPv4 network.

  • Have different authentication functions. VRRPv3 does not support authentication, whereas VRRPv2 supports.
    NOTE:
    VRRPv2 reserves the authentication field in VRRP Advertisement packets to be compatible with VRRP defined in RFC 2338. VRRP authentication cannot improve security.
  • Use different units for the interval at which VRRP Advertisement packets are sent. VRRPv3 uses the centiseconds, whereas VRRPv2 uses the seconds.

VRRP Authentication
Different authentication modes and authentication keys can be set in VRRPv2 Advertisement packets:
  • Non-authentication: The device does not authenticate outgoing VRRP Advertisement packets. In addition, the device does not authenticate the received VRRP Advertisement packets. It considers all the received packets valid.
  • Simple authentication: The device encapsulates the authentication mode and authentication key into an outgoing VRRP Advertisement packet. The device that receives the VRRP Advertisement packet compares the authentication mode and authentication key in the packet with those configured on the device. If the values are the same, the device considers the received VRRP Advertisement packet valid. If the values are different, the device considers the received VRRP Advertisement packet invalid and discards it.
  • MD5 authentication: The device uses the MD5 algorithm to encrypt the authentication key and encapsulates the key in the Authentication Data field of an outgoing VRRP Advertisement packet. The device that receives the VRRP Advertisement packet matches the authentication mode with the decrypted authentication key in the packet.

VRRP Implementation

VRRP State Machine

VRRP defines three statuses: Initialize, Master, and Backup. Only the device in Master state can forward the packets destined for the virtual IP address.

Table 11-13 VRRP statuses

Status

Description

Initialize

VRRP is unavailable. The device in Initialize state cannot process VRRP Advertisement packets.

When VRRP is configured on the device right now or the device detects a fault, it enters the Initialize state.

After receiving an interface Up message, the VRRP-enabled device with priority 255 becomes the master and the VRRP-enabled device with its priority less than 255 first switches to the Backup state.

Master

The VRRP device in Master state performs the following operations:
  • Sends VRRP Advertisement packets at intervals.
  • Uses the virtual MAC address to respond to ARP Request packets destined for the virtual IP address.
  • Forwards IP packets destined for the virtual MAC address.
  • Processes the IP packets destined for the virtual IP address if the device is an IP address owner, or discards the IP packets destined for the virtual IP address if the device is not the IP address owner.
  • Becomes the backup if the device receives a VRRP Advertisement packet with a higher priority than its VRRP priority.
  • Becomes the backup if the device receives a VRRP Advertisement packet with the same priority as its VRRP priority and the IP address of the local interface is smaller than the IP address of the connected interface on the remote device.

Backup

The VRRP device in Backup state performs the following operations:
  • Receives VRRP Advertisement packets from the master and determines whether the master works properly.
  • Does not respond to ARP Request packets destined for the virtual IP address.
  • Discards IP packets destined for the virtual IP address.
  • Resets the Master_Down_Interval timer and does not compare IP addresses if the received packet carries the same priority as its VRRP priority or higher priority.
    NOTE:
    Master_Down_Interval timer: If the backup does not receive Advertisement packets after the timer expires, the backup becomes the master. The calculation formula is as follows:
    • Master_Down_Interval = 3xAdvertisement_Interval + Skew_time (offset time)
    • Skew_Time = (256 - Priority)/256
  • Sets the Skew_time (offset time) if the device receives a VRRP Advertisement packet with lower priority than its VRRP priority and the packet priority is 0, or discards the packet with non-0 priority and becomes the master immediately.
VRRP Working Process

The VRRP working process is as follows:

  1. Devices in a VRRP group select the master based on device priorities. The master sends gratuitous ARP packets to notify the connected device or host of its virtual MAC address.
  2. The master periodically sends VRRP Advertisement packets to all backups in the VRRP group to advertise its configuration (for example, priority) and running status.
  3. If the master becomes faulty, the backups in the group select a new master based on priorities.
  4. When the VRRP group status changes, a new master is used. The new master sends gratuitous ARP packets carrying the virtual MAC address and virtual IP address of the virtual router to update the MAC address entry on the connected host or device. Then user traffic is switched to the new master. This process is transparent to users.
  5. When the original master recovers and is the IP address owner (priority 255), the original master directly switches to the Master state. If the device priority is smaller than 255, it first switches to the Backup state and its original priority is restored.
  6. If the backup has higher priority than the master, the working mode of the backup determines whether the master is selected again.
    NOTE:
    • Preemption mode: If the priority of a virtual router backup is higher than the priority of the current virtual router master, the virtual router backup automatically becomes the virtual router master.

    • Non-preemption mode: As long as the virtual router master is working properly, the backup with a higher priority cannot become the virtual router master.

To ensure that the master and backup cooperate, VRRP must be able to select the master and advertise the master status.

The detailed VRRP working process is as follows:

  • Selecting the master

    VRRP determines the device role in the virtual router based on device priorities. The device with a higher priority is more likely to become the master.

    The VRRP-enabled device in a VRRP group first works in Initialize state. After receiving an interface Up message, the VRRP-enabled device with priority 255 directly becomes the master or the VRRP-enabled device with its priority less than 255 first switches to the Backup state and switches to the Master state again after the Master_Down_Interval timer expires. The device that first switches to the Master state obtains priorities of other devices in the group by exchanging VRRP Advertisement packets. Then the master is selected.
    • If the master priority in VRRP Advertisement packets is higher than or equal to the priority of the device, the backup retains in Backup state.
    • If the master priority in VRRP Advertisement packets is lower than the priority of the device, the backup switches to the Master state in preemption mode or retains in Backup state in non-preemption mode.
    NOTE:
    • If multiple devices in the VRRP group switch to the master, the devices with a lower priority switch to the Backup state and the device with the highest priority becomes the master after these devices exchange VRRP Advertisement packets. If multiple devices have the same priority, the device where the interface with the largest IP address resides is the master.

    • If the device is the IP address owner, it switches to the Master state immediately after receiving an interface Up message.

  • Advertising the master status

    The master periodically sends VRRP Advertisement packets to all backups in the VRRP group to advertise its configuration (for example, priority) and running status. The backup determines whether the master works properly based on the received VRRP Advertisement packets.
    • When the master does not retain the Master state, for example, the master leaves the group, it sends a VRRP Advertisement packet with priority 0. In this manner, a backup can switch to the master immediately without waiting for the timeout of the Master_Down_Interval timer. The switchover period is called Skew time, in seconds. The value is calculated using the following formula:

      Skew time = (256 - Backup priority)/256

    • If the master cannot send VRRP Advertisement packets due to network faults, the backups cannot learn the running status of the master immediately. The backups consider the master faulty only after the Master_Down_Interval timer expires. Then a backup switches to the Master state.

      Master_Down_Interval = 3 x Advertisement_Interval + Skew_time (in seconds)

    NOTE:

    If congestion occurs on an unstable network, the backup may not receive VRRP Advertisement packets from the master within the period of Master_Down_Interval. A backup then switches to the Master state. If the VRRP Advertisement packet from the original master reaches the backup (new master), the new master switches to the Backup state. In this case, the VRRP group status changes frequently. To solve the problem, the preemption delay is used. When the Master_Down_Interval timer expires, the backup waits for the preemption delay. If the backup does not receive a VRRP Advertisement packet within the preemption delay, it switches to the Master state.

VRRP in Active/Standby Mode

VRRP often uses the active/standby mode, as shown in Figure 11-32. In active/standby mode, a virtual router must be set up. The virtual router consists of one master and multiple backups.

Switch ModuleA is the master and forwards service packets. Switch ModuleB and Switch ModuleC are backups and do not forward service packets. Switch ModuleA periodically sends VRRP Advertisement packets to Switch ModuleB and Switch ModuleC, notifying that Switch ModuleA itself works properly. If Switch ModuleA is faulty, a new master is selected from Switch ModuleB and Switch ModuleC based on their priorities. The new master then takes over traffic.

After Switch ModuleA recovers, it becomes the master in preemption mode. In non-preemption mode, Switch ModuleA retains in Backup state.

Figure 11-32 VRRP in active/standby mode

VRRP in Load Balancing Mode

In load balancing mode, multiple VRRP groups transmit services simultaneously, as shown in Figure 11-33. The implementation and packet negotiation in load balancing mode are similar to those in active/standby mode. Each VRRP group has one master and multiple backups. In load balancing mode, multiple VRRP groups need to be set up and use different masters. A VRRP device can join multiple VRRP groups and has different priorities in different VRRP groups.

VRRP load balancing falls into multi-gateway load balancing or single-gateway load balancing.

Multi-Gateway Load Balancing

Multiple VRRP groups with virtual IP addresses are created and specified as gateways for different users to implement load balancing.

Figure 11-33 Multi-gateway load balancing
As shown in Figure 11-33, two VRRP groups are configured:
  • VRRP group 1: Switch ModuleA functions as the master and Switch ModuleB as the backup.
  • VRRP group 2: Switch ModuleB functions as the master and Switch ModuleA as the backup.

VRRP groups 1 and 2 are gateways for different user hosts. Multiple VRRP groups load balance traffic and back up each other.

Single-Gateway Load Balancing

A Load-Balance Redundancy Group (LBRG) with a virtual IP address is created, and VRRP groups without virtual IP addresses are added to the LBRG. The LBRG is specified as a gateway for all users to implement load balancing.

Figure 11-34 Single-gateway load balancing
As shown in Figure 11-34, two VRRP groups are configured:
  • VRRP group 1: an LBRG. Switch ModuleA is the master, and Switch ModuleB is the backup.
  • VRRP group 2: an LBRG member group. Switch ModuleB is the master, and Switch ModuleA is the backup.

All user hosts use VRRP group 1 as a gateway. After VRRP group 1 receives an ARP request packet from a user host, VRRP group 1 encapsulates its own virtual MAC address or VRRP group 2's virtual MAC address into an ARP reply packet for the ARP request packet. Single-gateway load balancing is an upgrade from multi-gateway load balancing. Single-gateway load balancing simplifies user-side configurations and facilitates network maintenance and management.

mVRRP

A switch is usually dual-homed to two devices to improve network reliability. Multiple VRRP groups can be configured on the two devices to transmit various types of services. Each VRRP group needs to maintain its own state machine; therefore, a large number of VRRP Advertisement packets are transmitted between devices.

As shown in Figure 11-35, to decrease bandwidth and CPU resources occupied by protocol packets, configure a VRRP group as an mVRRP group and bind other VRRP groups to the mVRRP group. The mVRRP group sends VRRP Advertisement packets to determine the master and backup status for its VRRP groups. The bound VRRP groups do not send VRRP Advertisement packets and the VRRP status is the same as the mVRRP group status.

Figure 11-35 mVRRP networking
  • mVRRP group

    An mVRRP group has all functions of a common VRRP group, and determines the statuses of its member VRRP groups by sending VRRP Advertisement packets. An mVRRP group can be deployed on the same side as service VRRP groups or on the interfaces that directly connect Switch ModuleA and Switch ModuleB:
    • When an mVRRP group functions as the gateway (mVRRP1 in Figure 11-35), the mVRRP group determines the Master and Backup statuses and forwards service traffic. You must first create a VRRP group and configure a virtual IP address as the gateway address, and then configure this VRRP group as an mVRRP group.

    • When an mVRRP group does not function as the gateway (mVRRP2 in Figure 11-35), the mVRRP group only determines the master and backup statuses, and cannot forward service traffic. The mVRRP group does not require a virtual IP address, and you can directly create an mVRRP group on an interface. mVRRP simplifies maintenance.

  • Service VRRP group

    After common VRRP groups are bound to an mVRRP group, they become service VRRP groups (member VRRP groups). Service VRRP groups do not need to send VRRP Advertisement packets to determine their statuses. The mVRRP group sends VRRP Advertisement packets to determine its status and the statuses of all its bound service VRRP groups.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57843

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next