Configuring Basic VRRP Functions
VRRP works in either master/backup or load balancing mode, implementing device backup and efficient and stable data forwarding.
Usage Scenario
A VRRP group consists of two or more devices and functions as an egress gateway for hosts. If a device fails, another device takes over. VRRP ensures continuous and reliable network communication.
Creating a VRRP Group
You can create a Virtual Router Redundancy Protocol (VRRP) backup group and set VRRP priorities to determine the master and backup routers. The master router transmits data traffic. You can create multiple VRRP groups to load-balance data traffic.
Context
Multi-gateway load balancing: Multiple VRRP groups with virtual IP addresses are created and specified as gateways for different users to implement load balancing.
As shown in Figure 4-5, VRRP groups 1 and 2 are deployed on the network.- VRRP group 1: Device A is the master device, and Device B is the backup device.
- VRRP group 2: Device B is the master device, and Device A is the backup device.
Some users access the Internet using VRRP group 1, and others access the Internet using VRRP group 2. The backup groups can load-balance service traffic and back up each other.
Procedure
- Create a VRRP group working in master/backup mode.
- Run vrrp vrid virtual-router-id virtual-ip virtual-address
A VRRP group is created and assigned a virtual IP address.
VRRP groups cannot share virtual IP addresses.
Two devices in a single VRRP group must be configured with the same virtual router ID (VRID).
VRRP groups on different interfaces of a device can be configured with the same VRID.
Multiple virtual IP addresses can be assigned to a VRRP group. A single virtual IP address serves a separate user group, in which users have the same reliability requirements. This setting helps prevent the default gateway addresses from varying according to changes in VRRP device locations.
A VRRP group is created and assigned the first virtual IP address at the same time. If another virtual IP address is assigned to the VRRP group, the system only adds the virtual IP address to the virtual IP address list for the VRRP group.
The direct routes generated by the virtual IP addresses in a VRRP group can be imported by OSPF, IS-IS and RIP. By default, this kind of route can be advertised by OSPF, IS-IS and RIP to the neighboring devices. On actual networks, it is possible that there are a large number of routes generated by the virtual IP addresses in a VRRP group; if all of the routes are imported and advertised to the neighboring devices by OSPF, IS-IS and RIP, it will bring a heavy load to some devices on the networks and affect the network performance. In this situation, you can use the vrrp virtual-ip route-advertise disable command to disable OSPF, IS-IS and RIP from advertising the routes generated by the virtual IP addresses in the VRRP group.
- Run vrrp vrid virtual-router-id priority priority-value
The master device's priority must be higher than a backup device's priority. Using the default priority on a backup device is recommended.
If devices have the same VRRP priority, the device that enters the Master state earlier than others is the master device. Other devices are backup devices and stop preempting the Master state.
- Run vrrp vrid virtual-router-id virtual-ip virtual-address
- Create VRRP groups working in multi-gateway load balancing mode.
If VRRP groups need to work in multi-gateway load balancing mode, repeat the steps to configure two or more VRRP groups on the interface and assign different VRIDs to them.
Configuring a Unicast VRRP Group
This section describes how to configure a unicast VRRP group to implement the master/backup status negotiation between two devices on a Layer 3 network.
Usage Scenario
Common VRRP is multicast VRRP and only allows multicast VRRP Advertisement packets to be sent. Multicast VRRP Advertisement packets, however, can be forwarded within only one broadcast domain (for example, one VLAN or VSI). Therefore, common VRRP groups apply only to Layer 2 networks. This limitation means that common VRRP does not apply to Layer 3 devices that need to negotiate their master/backup status using VRRP. After a unicast VRRP group is configured on two devices on a Layer 3 network, the master device in this group sends unicast VRRP Advertisement packets to the backup device through the Layer 3 network, implementing the master/backup status negotiation between the two devices.
Procedure
- Run system-view
The system view is displayed.
- Run interface loopback loopback-number
The loopback interface view is displayed.
- Run vrrp vrid virtual-router-id peer-ip ip-address
Unicast VRRP is enabled, a unicast VRRP group is created, and a peer IP address is configured for this group.
- (Optional) Run vrrp vrid virtual-router-id authentication-mode { md5 md5-key | hmac-sha256 hmac-sha256 }
An authentication mode is configured for unicast VRRP Advertisement packets.
The same authentication mode and key must be configured on the two devices in a unicast VRRP group. If different authentication modes and keys are configured, the master/backup status negotiation fails.
- Run vrrp vrid virtual-router-id priority priority-value
A priority is configured for the device in the unicast VRRP group.
- (Optional) Run vrrp vrid virtual-router-id timer advertise advertise-interval
An interval at which unicast VRRP Advertisement packets are sent is configured.
- (Optional) Run vrrp vrid virtual-router-id preempt-mode timer delay delay-value
A preemption delay is set for the device in the unicast VRRP group.
- Run commit
The configuration is committed.
Follow-up Procedure
- Associate the unicast VRRP group with a VRRP-disabled interface.
- Run system-view
The system view is displayed.
- Run interface loopback loopback-number
The view of the interface on which the unicast VRRP group is configured is displayed.
- Run vrrp vrid virtual-router-id track interface interface-type interface-number [ increased value-increased | reduced value-reduced ]
The unicast VRRP group is associated with a specified VRRP-disabled interface.
- Run commit
The configuration is committed.
- Run system-view
- Configure the unicast VRRP group to track an interface monitoring group.
- Run system-view
The system view is displayed.
- Run interface loopback loopback-number
The view of the interface on which the unicast VRRP group is configured is displayed.
- Run vrrp vrid virtual-router-id track monitor-group monitor-group-name failure-ratio failure-ratio-value { [ reduced reduced-value ] | link }
The unicast VRRP group is configured to track an interface monitoring group. When the link failure ratio on the access or network side reaches a specified threshold, the unicast VRRP group performs a master/backup switchover.
- Run commit
The configuration is committed.
A unicast VRRP group can track three interface monitoring groups at the same time.- A unicast VRRP group can track two interface monitoring groups on the access side in normal mode (link is not specified). When the link failure ratio on the access side reaches a specified threshold, the VRRP group reduces the priority of the local device to trigger the remote device to preempt the Master state.
- A VRRP group can track one interface monitoring group on the network side in link mode. When the link failure ratio on the network side reaches a specified threshold, the local device in the VRRP group changes to the Initialize state and sends a VRRP Advertisement packet carrying a priority of 0 to the remote device to trigger the remote device to preempt the Master state.
- Run system-view
- Configure the unicast VRRP group to track a route monitoring group.
- Run system-view
The system view is displayed.
- Run interface loopback loopback-number
The view of the interface on which the unicast VRRP group is configured is displayed.
- Run vrrp vrid virtual-router-id track route-monitor-group route-monitor-group-name failure-ratio failure-ratio-value [ link | [ reduced priority-value ] ]
The unicast VRRP group is configured to track a route monitoring group. When the link failure ratio on the access or network side reaches a specified threshold, the unicast VRRP group performs a master/backup switchover.
- Run commit
The configuration is committed.
- Run system-view
(Optional) Configuring VRRP Stability Functions
To help a VRRP group work stably, enable the preemption function, set a preemption delay, and specify an interval at which VRRP Advertisement packets are sent. The configuration can minimize impact of network flapping resulted from frequent master/backup VRRP switchovers on data forwarding.
Context
A VRRP group performs a master/backup switchover if the master device fails or a network is busy. After the master device or network communication recovers, a new master device is selected.
If a network flaps, service packets are adversely affected. VRRP stability functions can be configured to improve VRRP stability, minimizing network interruptions or packet loss resulted from frequent master/backup VRRP switchovers. Table 4-1 describes VRRP stability functions.
Basic Function |
Description |
|---|---|
Frequent master/backup switchovers on an unstable network may cause double master devices to coexist or hosts to learn incorrect master MAC address. To maintain the stable master/backup status, configure either of the following preemption modes:
|
|
Setting the interval at which VRRP Advertisement packets are sent |
Heavy network traffic or timer setting differences between devices may cause a backup device to incorrectly preempt the Master state. To prevent this issue, set a large value for the interval at which VRRP Advertisement packets are sent by the master device. |
If a VRRP-enabled interface status changes frequently, the VRRP status on the interface frequently alternates between Up and Down. To prevent this issue, set a recovery delay. A VRRP group responds to a VRRP interface Up event only after a specified recovery delay. The recovery delay helps prevent VRRP status flapping caused by frequent interface status changes. |
Procedure
- Set a preemption delay for a device in a VRRP group.
- Run vrrp vrid virtual-router-id preempt-mode timer delay delay-value
A preemption delay is set for the device in a VRRP group.
You can run the vrrp vrid virtual-router-id preempt-mode disable command to configure the non-preemption mode for devices in a VRRP group. When a VRRP group works in non-preemption mode, another backup device cannot preempt the Master state so long as the master device is working properly.
A preemption delay is a period of time during which a backup device waits to preempt the Master state. When an IP address owner recovers from a fault, it immediately preempts the Master state. Therefore, the preemption delay is meaningless for an IP address owner. If a preemption delay needs to be configured for a VRRP group, do not configure the master device in the group as an IP address owner.
- Run vrrp vrid virtual-router-id preempt-mode timer delay delay-value
- Set an interval at which VRRP Advertisement packets are sent.
- Run vrrp timer-advertise learning enable
The device is enabled to learn the interval at which VRRP Advertisement packets are sent.
During a master/backup VRRP switchover, do not disable the device from learning the interval. Otherwise, two master devices may coexist.
- Run vrrp timer-advertise learning enable
- Set a recovery delay.
- Run vrrp recover-delay delay-value
A recovery delay is set.
The vrrp recover-delay command run in the system view takes effect on all VRRP groups on the same device.
The vrrp recover-delay command run in the interface view takes effect on all VRRP groups on the same interface. If the vrrp recover-delay command is run in both the system and interface views, the setting in the interface view prefers.
- Run vrrp recover-delay delay-value
(Optional) Configuring a VRRP Security Policy
A VRRP security policy can be configured to protect a network requiring high security against attacks.
Context
When the master device periodically sends VRRP Advertisement packets to a backup device, an attacker may simulate the master device's packets to initiate attacks. To improve network security, configure a VRRP security policy. Table 4-2 describes VRRP security functions.
Function Item |
Description |
|---|---|
Configuring an authentication mode for VRRP Advertisement packets |
Different authentication modes can be used for different security requirements.
|
Procedure
- Configure an authentication mode for VRRP Advertisement packets.
- Run vrrp vrid virtual-router-id authentication-mode { simple { [ plain ] key | cipher cipher-key } | md5 md5-key }
An authentication mode is configured for VRRP Advertisement packets.
- When configuring an authentication password, select the ciphertext mode because the password is saved in configuration files in simple text if you select simple text mode, which has a high risk. To ensure device security, change the password periodically.
- The authentication key configured on the master device must be the same as that configured on a backup device in the same VRRP group.
- Run vrrp vrid virtual-router-id authentication-mode { simple { [ plain ] key | cipher cipher-key } | md5 md5-key }
(Optional) Optimizing VRRP
To optimize VRRP, enable ping to a virtual IP address, set the interval at which the master device sends gratuitous ARP packets, and disable a device from checking TTL values in received VRRP Advertisement packets.
Context
Table 4-3 describes VRRP optimization functions.
Basic Function |
Description |
|---|---|
VRRPv4 supports VRRPv2 and VRRPv3.
|
|
Hosts can ping the virtual IP address of a VRRP group. This function can be used to monitor the connectivity of links between hosts and a gateway. |
|
In most cases, after receiving an ARP request packet that is destined for a virtual IP address, the backup device in a VRRP group does not learn the ARP entry of the requester. If a link or the master device in the VRRP group fails, a master/backup device switchover is performed. The original backup device becomes the master device and must learn user-side ARP entries before taking over the traffic forwarded by the original master device. During user-side ARP entry learning, traffic is interrupted temporarily. You can enable passive ARP to resolve this issue. |
|
Setting the interval at which the master device sends gratuitous ARP packets |
To ensure that the destination MAC address and outbound interface on a downstream device (switch) connected to the master device in a VRRP group are updated in a timely manner, the master device sends gratuitous ARP packets to the downstream device at a specified interval. |
Disabling a device from checking TTL values in VRRP Advertisement packets |
A VRRP-enabled device checks the TTL value in every received VRRP Advertisement packet and discards a packet if its TTL value is not 255. However, if devices of different vendors are deployed on a network, checking TTL values in VRRP Advertisement packets may cause a device to incorrectly discard packets. To resolve this issue, disable the device from checking TTL values in VRRP Advertisement packets to implement interworking between different vendors' devices. |
When a VRRP group is configured for a super VLAN on a device enabled with VLAN aggregation, VRRP Advertisement packets can be sent to a specified sub-VLAN or all sub-VLANs of the super VLAN. Sending VRRP Advertisement packets to a specified sub-VLAN can improve bandwidth usage efficiency. |
|
Specifying a mode that the master device uses to send gratuitous ARP packets |
The master device sends gratuitous ARP packets to all VLAN users through its sub-interface for QinQ VLAN tag termination. After VLAN users attached to a switching device learn the virtual MAC address, they send packets through the master device. To reduce system burdens, enable the sub-interface for QinQ VLAN tag termination to send gratuitous ARP packets only with the first VLAN ID specified in the inner tag and each VLAN ID in the outer tag. |
Mode that the master device uses to send packets through a dot1q termination sub-interface |
If VRRP is enabled on a dot1q termination sub-interface, VRRP packets are encapsulated with VLAN tags before being transmitted to VRRP devices in specific VLANs. |
Mode that the master device uses to send packets through a QinQ termination sub-interface |
If VRRP is enabled on a QinQ termination sub-interface, VRRP packets are encapsulated with inner and outer VLAN tags before being transmitted to VRRP devices in specific VLANs. |
Procedure
- Configure a VRRP version number.
- Enable a device to allow hosts to ping a virtual IP address.
- Enable passive ARP.
- Set the interval at which the master device sends gratuitous ARP packets.
- Disable a device from checking TTL values in VRRP Advertisement packets.
- Configure the mode for sending VRRP Advertisement packets in VLANs.
- Run vrrp advertise send-mode { sub-vlan-id | all }
The mode for sending VRRP Advertisement packets in VLANs is configured.
If sub-vlan-id is specified, VRRP Advertisement packets are sent to a specified sub-VLAN.
If all is specified, VRRP Advertisement packets are broadcast to all sub-VLANs of a super VLAN.
Specifying the parameter all is not recommended. If all is configured, a super VLAN broadcasts a VRRP Advertisement packet to all its sub-VLANs, reducing the CPU running efficiency.
- Run vrrp advertise send-mode { sub-vlan-id | all }
- Specify a mode that the master device uses to send gratuitous ARP packets.
- Specify a mode that the master device uses to send gratuitous ARP packets through a dot1q termination sub-interface.
- Specify a mode that the master device uses to send packets through a QinQ termination sub-interface.
- Run qinq vrrp pe-vid pe-vid ce-vid ce-vid
VRRP packets with a specified inner VLAN ID and a specified outer VLAN ID are sent to VLANs.
The pe-vid and ce-vid parameters to be specified in the qinq vrrp command are configured using the qinq termination pe-vid ce-vid command.
- Run qinq vrrp pe-vid pe-vid ce-vid ce-vid
(Optional) Enabling Backup Devices to Forward Service Traffic
To meet carrier-class reliability requirements, enable backup devices to forward service traffic.
Context
On the mobile bearer network shown in Figure 4-6, the NodeB attached to the cell site gateway (CSG) is connected to PE1 and PE2 over the primary and secondary pseudo wires (PWs) and to PE3 and PE4 over the active and standby links. A Virtual Router Redundancy Protocol (VRRP) backup group is deployed on both PE3 and PE4. If PE1 fails, service traffic switches from the active link to the standby link immediately, but a master/backup VRRP switchover is performed between PE3 and PE4 after a delay. Therefore, service traffic is lost before the master/backup VRRP switchover is performed.
To resolve this issue and meet carrier-class reliability requirements, enable PE4 (the backup device) to forward service traffic. After the configuration is complete, PE4 forwards service traffic before a master/backup VRRP switchover is performed, which prevents service traffic loss.
You can enable backup devices to forward service traffic on the master and backup devices in a VRRP group.
Perform the following steps on each device in a VRRP group:
Procedure
- Run system-view
The system view is displayed.
- Run interface interface-type interface-number
The view of the interface on which the VRRP group is configured is displayed.
- Run vrrp vrid virtual-router-id backup-forward
The backup devices in the VRRP group are enabled to forward service traffic.
- Run commit
The configuration is committed.
