No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Principles

Principles

This section describes the implementation of VRRP.

Basic Concepts of VRRP

As shown in Figure 24-14, HostA is dual-homed to AP1 and AP2. AP1 and AP2 constitute a VRRP group so that they are considered as a virtual router for link redundancy.

Figure 24-14  VRRP group

VRRP can be deployed on a network shown in Figure 24-14. VRRP involves the following entities:

  • VRRP router: device running VRRP. It may join one or more virtual routers, AP1 and AP2 are VRRP routers.

  • Virtual router: VRRP group. It consists of one master and one or more backups. The VRRP group is used as the default gateway on a LAN. AP1 and AP2 constitute a virtual router.

  • Virtual router master: VRRP device that forwards packets. AP1 is the virtual router master.

  • Virtual router backup: a group of VRRP devices that do not forward packets. When the master device is faulty, a backup device preempts to be the new master. AP2 is the virtual router backup.

  • VRID: virtual router ID. The VRID of the virtual router composed of AP1 and AP2 is 1.

  • Virtual IP address: IP address of a virtual router. A virtual router can be assigned one or more virtual IP addresses. Virtual IP addresses are configurable. The virtual IP address of the virtual router composed of AP1 and AP2 is 10.1.1.10/24.

  • IP address owner: VRRP device that uses an IP address of a virtual router as the actual interface address. If an IP address owner is available, it usually functions as the virtual router master. The interface address of AP1 and the IP address of the virtual router are both 10.1.1.10/24, so AP1 is the IP address owner.

  • Virtual MAC address: MAC address that is generated by the virtual router based on the virtual router ID. The virtual router sends ARP Reply packets using the virtual MAC address instead of the interface MAC address. The VRID of the virtual router composed of AP1 and AP2 is 1, so the MAC address of the VRRP group is 00-00-5E-00-01-01.

VRRP Packets

VRRP packets are sent to notify all backup devices in a VRRP group of the master device priority and status.

VRRP packets are encapsulated into IP packets and sent to the VRRP IP multicast address. In the IP packet header, the source address is the primary IP address of the interface that sends the packets, the destination address is 224.0.0.18, the TTL is 255, and the protocol number is 112. The primary IP address is not the virtual IP address.
NOTE:

Primary IP address: is selected from one of actual IP addresses of interfaces. Usually, it is the first configured IP address.

VRRP has two versions: VRRPv2 and VRRPv3. VRRPv2 applies to the IPv4 network, and VRRPv3 applies to IPv4 and IPv6 networks.

VRRP is classified into VRRP for IPv4 and VRRP for IPv6 (VRRP6) by network type. VRRP for IPv4 supports VRRPv2 and VRRPv3, and VRRP for IPv6 supports only VRRPv3.

VRRP Packet Formats

Figure 24-15 shows the VRRPv2 packet format, and Figure 24-16 shows the VRRPv3 packet format.

Figure 24-15  VRRPv2 packet format

Figure 24-16  VRRPv3 packet format
Table 24-3 lists fields in a VRRP packet.
Table 24-3  Description of fields in a VRRP packet
Field Description
VRRPv2 VRRPv3
Version VRRP protocol version. The value is 2. VRRP protocol version. The value is 3.
Type VRRP Advertisement packet type. The value 1 indicates an Advertisement packet. VRRP Advertisement packet type. The value 1 indicates an Advertisement packet.
Virtual Rtr ID (VRID) Virtual router ID. The value ranges from 1 to 255. Virtual router ID. The value ranges from 1 to 255.
Priority Priority of the master in the VRRP group. The value ranges from 0 to 255. The value 0 indicates that the device does not participate in the VRRP group. The backup device can become the master immediately. The value 255 is reserved for the IP address owner. The default value is 100. Priority of the master in the VRRP group. The value ranges from 0 to 255. The value 0 indicates that the device does not participate in the VRRP group. The backup device can become the master immediately. The value 255 is reserved for the IP address owner. The default value is 100.
Count IP Addrs/Count IPvX Addr Number of virtual IPv4 addresses in the VRRP group. Number of virtual IPv4 or IPv6 addresses in the VRRP group.
Auth Type Authentication mode. There are three authentication modes:
  • 0: Non Authentication

  • 1: Simple Text Password

  • 2: IP Authentication Header (MD5 authentication)

-
Adver Int/Max Adver Int Interval at which VRRP Advertisement packets are sent, in seconds. The default value is 1. Interval at which VRRP Advertisement packets are sent, in centiseconds. The default value is 100 (1 second).
Checksum 16-bit checksum, which is used to detect data damage in VRRP packets. 16-bit checksum, which is used to detect data damage in VRRP packets.
IP Address/IPvX Address(es) Virtual IPv4 address in the VRRP group. The Count IP Addrs field determines the number of virtual IPv4 addresses in the VRRP group. Virtual IPv4 or IPv6 address in the VRRP group. The Count IPvX Addrs field determines the number of virtual IPv4 or IPv6 addresses in the VRRP group.
Authentication Data Authentication key. This field is used only in simple authentication mode and MD5 authentication mode. In other authentication modes, this field is filled with 0. -
rsvd - Reserved. The value must be 0.
VRRPv2 and VRRPv3 have the following differences:
  • Support different networks. VRRPv3 applies to IPv4 and IPv6 networks, whereas VRRPv2 applies to only the IPv4 network.

  • Have different authentication functions. VRRPv3 does not support authentication, whereas VRRPv2 supports.
    NOTE:
    VRRPv2 reserves the authentication field in VRRP packets to be compatible with VRRP defined in RFC 2338. VRRP authentication cannot improve security.
  • Use different units for the interval at which VRRP Advertisement packets are sent. VRRPv3 uses the centiseconds, whereas VRRPv2 uses the seconds.

VRRP Authentication
Different authentication modes and authentication keys can be set in VRRPv2 Advertisement packets:
  • Non-authentication: The device does not authenticate outgoing VRRP Advertisement packets. In addition, the device does not authenticate the received VRRP packets. It considers all the received packets valid.
  • Simple authentication: The device encapsulates the authentication mode and authentication key into an outgoing VRRP Advertisement packet. The device that receives the VRRP Advertisement packet compares the authentication mode and authentication key in the packet with those configured on the device. If the values are the same, the device considers the received VRRP Advertisement packet valid. If the values are different, the device considers the received VRRP Advertisement packet invalid and discards it.
  • MD5 authentication: The device uses the MD5 algorithm to encrypt the authentication key and encapsulates the key in the Authentication Data field of an outgoing VRRP Advertisement packet. The device that receives the VRRP Advertisement packet matches the authentication mode with the decrypted authentication key in the packet.

VRRP Implementation

VRRP State Machine

VRRP defines three statuses: Initialize, Master, and Backup. Only the device in Master state can forward packets destined for the virtual IP address.

Table 24-4  VRRP statuses

Status

Description

Initialize

VRRP is unavailable. The device in Initialize state cannot process VRRP packets.

When a device starts or detects a fault, it enters the Initialize state.

After receiving an interface Up message, the VRRP-enabled device with priority 255 becomes the master and the VRRP-enabled device with its priority less than 255 first switches to the Backup state.

Master

The VRRP device in Master state performs the following operations:
  • Sends VRRP Advertisement packets at intervals.
  • Uses the virtual MAC address to respond to ARP Request packets destined for the virtual IP address.
  • Forwards IP packets destined for the virtual MAC address.
  • Processes the IP packets destined for the virtual IP address if the device is an IP address owner. If the device is not the IP address owner, it discards the IP packets destined for the virtual IP address.
  • Becomes the backup if the device receives a VRRP packet with a higher priority than the VRRP priority of the device.
  • Becomes the backup if the device receives a VRRP packet with the same priority as the VRRP priority of the device and the IP address of the local interface is smaller than the IP address of the connected interface on the remote device.

Backup

The VRRP device in Backup state performs the following operations:
  • Receives VRRP Advertisement packets from the master and determines whether the master works properly.
  • Does not respond to ARP Request packets destined for the virtual IP address.
  • Discards IP packets destined for the virtual IP address.
  • Resets the Master_Down_Interval timer and does not compare IP addresses if the received packet carries the same priority as the device or higher priority than the device.
    NOTE:

    Master_Down_Interval timer: If the backup does not receive Advertisement packets after the timer expires, the backup becomes the master. The calculation formula is as follows: Master_Down_Interval = 3xAdvertisement_Interval + Skew_time (offset time). Skew_Time = (256 - Priority)/256

  • Sets the Skew_time (offset time) if the device receives a VRRP packet with lower priority than the VRRP priority of the device and the packet priority is 0. Discards the packet with non-0 priority and becomes the master.
VRRP Working Process

The VRRP working process is as follows:

  1. Devices in a VRRP group select the master based on device priorities. The master sends gratuitous ARP packets to notify the connected device or host of its virtual MAC address.
  2. The master periodically sends VRRP Advertisement packets to all backups in the VRRP group to advertise its configuration and running status.
  3. If the master becomes faulty, the backups in the group select a new master based on priorities.
  4. When the VRRP group status changes, a new master is used. The new master sends gratuitous ARP packets carrying the virtual MAC address and virtual IP address of the virtual router to update the MAC address entry on the connected host or device. Then user traffic is switched to the new master. This process is transparent to users.
  5. When the original master recovers and is the IP address owner (priority of 255), the original master directly switches to the Master state. If the device priority is smaller than 255, it first switches to the Backup state and its original priority is restored.
  6. If the backup has higher priority than the master, the working mode of the backup determines whether the master is selected again.
    NOTE:
    • Preemption mode: If the priority of a virtual router backup is higher than the priority of the current virtual router master, the virtual router backup automatically becomes the virtual router master.

    • Non-preemption mode: As long as the virtual router master is working properly, the backup with a higher priority cannot become the virtual router master.

To ensure that the master and backup cooperate, VRRP must be able to:
  • Select the master.
  • Advertise the master status.

The following describes the VRRP working process in details.

  • Selecting the master

    VRRP determines the device role in the virtual router based on device priorities. The device with a higher priority is more likely to become the master.

    The VRRP-enabled device in the VRRP group first works in Initialize state. After receiving an interface Up message, the VRRP-enabled device with priority 255 becomes the master and the VRRP-enabled device with its priority less than 255 first switches to the Backup state. After the Master_Down_Interval timer expires, the VRRP-enabled device switches to the Master state again. The device that first switches to the Master state obtains priorities of other devices in the group by exchanging VRRP Advertisement packets. Then the master is selected.
    • If the master priority in VRRP packets is higher than or equal to the priority of the device, the backup retains in Backup state.
    • If the master priority in VRRP packets is lower than the priority of the device, the backup in preemption mode switches to the Master state or the backup in non-preemption mode retains in Backup state.
    NOTE:
    • If multiple devices in the group switch to the master, the devices with a lower priority switch to the Backup state and the device with the highest priority becomes the master after these devices exchange Advertisement packets. If multiple devices have the same priority, the device where the interface with the largest IP address resides is the master.

    • If the device is the IP address owner, it switches to the Master state immediately after receiving an interface Up message.

  • Advertising the master status

    The master periodically sends VRRP Advertisement packets to all backups in the VRRP group to advertise its configuration and running status. The backup determines whether the master works properly based on the received VRRP Advertisement packets.
    • When the master does not retain the Master state, for example, the master leaves the group, it sends a VRRP Advertisement packet with priority 0. In this manner, a backup can switch to the master immediately without waiting for the Master_Down_Interval timer to expire. The switchover period is called Skew time, in seconds. The value is calculated using the following formula: Skew time = (256 - Backup priority)/256
    • If the master cannot send VRRP Advertisement packets due to network faults, the backups cannot learn the running status of the master. The backups consider the master faulty only after the Master_Down_Interval timer expires. Then a backup switches to the Master state. Master_Down_Interval = 3 x Advertisement_Interval + Skew_time (in seconds)
    NOTE:

    If congestion occurs on an unstable network, the backup may not receive VRRP Advertisement packets from the master within the period of Master_Down_Interval. A backup then switches to the Master state. If the VRRP Advertisement packet from the original master reaches the backup (new master), the new master switches to the Backup state. In this case, the VRRP group status changes frequently. To solve the problem, the preemption delay is used. When the Master_Down_Interval timer expires, the backup waits for the preemption delay. If the backup does not receive a VRRP Advertisement packet within the preemption delay, it switches to the Master state.

VRRP in Active/Standby Mode

VRRP often uses the active/standby mode, as shown in Figure 24-17. In active/standby mode, a virtual router must be set up. The virtual router consists of a master router and multiple backup routers.

AP1 is the master and forwards service packets. AP2 and AP3 are backup devices and do not forward services. AP1 periodically sends VRRP Advertisement packets to AP2 and AP3, notifying that AP1 itself works properly. If AP1 is faulty, a new master is elected from AP2 and AP3 based on their priorities. The new master then takes over traffic.

After AP1 recovers, it becomes the master in preemption mode. In non-preemption mode, AP1 retains in Backup state.

Figure 24-17  VRRP in active/standby mode

VRRP in Load Balancing Mode

In load balancing mode, multiple VRRP groups transmit services simultaneously, as shown in Figure 24-18. The implementation and packet negotiation in load balancing mode are similar to those in active/standby mode. Each VRRP group has one master device and multiple backup devices. In load balancing mode, multiple VRRP groups need to be set up and use different master devices. A VRRP device can join multiple VRRP groups and has different priorities in these VRRP groups.

Multi-gateway load balancing

Multiple VRRP backup groups with virtual IP addresses are created and specified as gateways for different users to implement load balancing.

Figure 24-18  Multi-gateway load balancing
As shown in Figure 24-18, two VRRP groups are configured:
  • VRRP group 1: AP1 functions as the master and AP2 as the backup.
  • VRRP group 2: AP2 functions as the master and AP1 as the backup.

Backup groups 1 and 2 are gateways for different hosts. Multiple VRRP groups load balance traffic and back up each other.

mVRRP

A Switch is usually dual-homed to two APs to improve network reliability. Multiple VRRP groups can be configured on the two APs to transmit various types of services. Each VRRP group needs to maintain its own state machine; therefore, a large number of VRRP packets are transmitted between APs.

As shown in Figure 24-19, to decrease bandwidth and CPU resources occupied by protocol packets, configure a VRRP group as an mVRRP group and bind other service VRRP groups to the mVRRP group. The mVRRP group sends VRRP Advertisement packets to determine the master and backup status for its service VRRP groups.

Figure 24-19  mVRRP networking
  • mVRRP Backup Group

    The mVRRP backup group has all functions of a common VRRP backup group, and determines the statuses of its member VRRP groups by sending VRRP Advertisement packets. An mVRRP backup group can be deployed on the same side as service VRRP backup groups or on the interfaces that directly connect AP1 and AP2:
    • When an mVRRP group functions as the gateway (mVRRP1 in Figure 24-19), the mVRRP group determines the Master and Backup status and forwards service traffic. You must create a VRRP group and configure a virtual IP address as the gateway address, and then configure this VRRP group as an mVRRP group.

    • When an mVRRP group does not function as the gateway (mVRRP2 in Figure 24-19), the mVRRP group only determines the master and backup status, and cannot forward service traffic. The mVRRP group does not require a virtual IP address, and you can directly create an mVRRP group on an interface. mVRRP simplifies maintenance.

  • Service VRRP Backup Group

    After common VRRP backup groups are bound to an mVRRP backup group, they become service VRRP backup groups (member VRRP backup groups). Service VRRP backup groups do not need to send VRRP packets to determine their states. The mVRRP backup group sends VRRP packets to determine its state and the states of all its bound service VRRP backup groups.

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 117408

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next