Redundancy and Load Balancing Protocol- VRRP (Virtual Router Redundancy Protocol) - NetwaxLab

Breaking

Facebook Popup

BANNER 728X90

Saturday, December 13, 2014

Redundancy and Load Balancing Protocol- VRRP (Virtual Router Redundancy Protocol)

Download
Virtual Router Redundancy Protocol (VRRP) is a computer networking protocol that provides for automatic assignment of available Internet Protocol (IP) routers to participating hosts. This increases the availability and reliability of routing paths via automatic default gateway selections on an IP subnetwork.

The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in the static default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router (a VPN 3000 Series Concentrator cluster) to one of the VPN Concentrators on a LAN. The VRRP VPN Concentrator that controls the IP address(es) associated with a virtual router is called the Master, and forwards packets sent to those IP addresses. When the Master becomes unavailable, a backup VPN Concentrator takes the place of the Master.

VRRP Terminology


VRRP (Virtual Router Redundancy Protocol) Points to Remember:

  1. Open Standard Protocol (1999)
  2. Hello Timer 1 sec
  3. Hold Timer 3 sec
  4. It use IP Protocol no 112
  5. It sends multicast hellos on 224.0.0.18
  6. Default Preempt enable
  7. Default Priority 100
  8. No inbuilt Track command
  9. Default decrement in priority using external track = 10
  10. VRRP Mac 000.5e00.01xx (xx is group ID)
  11. It supports two types of authentication MD-5, Plain Txt.

VRRP Roles

  • Master
  • Backup

Master– A router which gives the reply of ARP request of clients for gateway.

Master Requirement –
  • High Priority
  • Higher IP

Load balancing is Possible using multiple groups like HSRP

Group ID – 1 to 255

Restrictions for VRRP

VRRP is designed for use over multiaccess, multicast, or broadcast capable Ethernet LANs. VRRP is not intended as a replacement for existing dynamic protocols.

VRRP is supported on Ethernet, Fast Ethernet, Bridge Group Virtual Interface (BVI), and Gigabit Ethernet interfaces, and on Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs), VRF-aware MPLS VPNs, and VLANs.

Because of the forwarding delay that is associated with the initialization of a BVI interface, you must configure the VRRP advertise timer to a value equal to or greater than the forwarding delay on the BVI interface. This setting prevents a VRRP router on a recently initialized BVI interface from unconditionally taking over the master role. Use the bridge forward-time command to set the forwarding delay on the BVI interface. Use the vrrp timers advertise command to set the VRRP advertisement timer.

Enhanced Object Tracking (EOT) is not stateful switchover (SSO)-aware and cannot be used with VRRP in SSO mode.

VRRP Operation

There are several ways a LAN client can determine which router should be the first hop to a particular remote destination. The client can use a dynamic process or static configuration. 

Examples of dynamic router discovery are as follows:
  • Proxy ARP- The client uses Address Resolution Protocol (ARP) to get the destination it wants to reach, and a router will respond to the ARP request with its own MAC address.
  • Routing Protocol- The client listens to dynamic routing protocol updates (for example, from Routing Information Protocol [RIP]) and forms its own routing table.
  • ICMP Router Discovery Protocol (IRDP) Client- The client runs an Internet Control Message Protocol (ICMP) router discovery client.

The drawback to dynamic discovery protocols is that they incur some configuration and processing overhead on the LAN client. Also, in the event of a router failure, the process of switching to another router can be slow.

An alternative to dynamic discovery protocols is to statically configure a default router on the client. This approach simplifies client configuration and processing, but creates a single point of failure. If the default gateway fails, the LAN client is limited to communicating only on the local IP network segment and is cut off from the rest of the network.

VRRP can solve the static configuration problem. VRRP enables a group of routers to form a single virtual router. The LAN clients can then be configured with the virtual router as their default gateway. The virtual router, representing a group of routers, is also known as a VRRP group.

VRRP is supported on Ethernet, Fast Ethernet, BVI, and Gigabit Ethernet interfaces, and on MPLS VPNs, VRF-aware MPLS VPNs, and VLANs.

LAN topology in which VRRP is configured. In this example, Routers A, B, and C are VRRP routers (routers running VRRP) that comprise a virtual router. The IP address of the virtual router is the same as that configured for the Ethernet interface of Router A (10.0.0.1)

Multiple Virtual Router Support

You can configure up to 255 virtual routers on a router physical interface. The actual number of virtual routers that a router interface can support depends on the following factors:
  • Router processing capability
  • Router memory capability
  • Router interface support of multiple MAC addresses

In a topology where multiple virtual routers are configured on a router interface, the interface can act as a master for one virtual router and as a backup for one or more virtual routers.

VRRP Router Priority and Preemption

An important aspect of the VRRP redundancy scheme is VRRP router priority. Priority determines the role that each VRRP router plays and what happens if the virtual router master fails.

If a VRRP router owns the IP address of the virtual router and the IP address of the physical interface, this router will function as a virtual router master.

Priority also determines if a VRRP router functions as a virtual router backup and the order of ascendancy to becoming a virtual router master if the virtual router master fails. You can configure the priority of each virtual router backup with a value of 1 through 254 using the vrrp priority command.

For example, if Router A, the virtual router master in a LAN topology, fails, an election process takes place to determine if virtual router backups B or C should take over. If Routers B and C are configured with the priorities of 101 and 100, respectively, Router B is elected to become virtual router master because it has the higher priority. If Routers B and C are both configured with the priority of 100, the virtual router backup with the higher IP address is elected to become the virtual router master.

By default, a preemptive scheme is enabled whereby a higher priority virtual router backup that becomes available takes over for the virtual router backup that was elected to become virtual router master. You can disable this preemptive scheme using the no vrrp preempt command. If preemption is disabled, the virtual router backup that is elected to become virtual router master remains the master until the original virtual router master recovers and becomes master again.

VRRP Advertisements

The virtual router master sends VRRP advertisements to other VRRP routers in the same group. The advertisements communicate the priority and state of the virtual router master. The VRRP advertisements are encapsulated in IP packets and sent to the IP Version 4 multicast address assigned to the VRRP group. The advertisements are sent every second by default; the interval is configurable.

Although the VRRP protocol as per RFC 3768 does not support millisecond timers, Cisco routers allow you to configure millisecond timers. You need to manually configure the millisecond timer values on both the primary and the backup routers. The master advertisement value displayed in the show vrrp command output on the backup routers is always 1 second because the packets on the backup routers do not accept millisecond values.

You must use millisecond timers where absolutely necessary and with careful consideration and testing. Millisecond values work only under favorable circumstances, and you must be aware that the use of the millisecond timer values restricts VRRP operation to Cisco devices only.

VRRP Object Tracking

Object tracking is an independent process that manages creating, monitoring, and removing tracked objects such as the state of the line protocol of an interface. Clients such as the Hot Standby Router Protocol (HSRP), Gateway Load Balancing Protocol (GLBP), and VRRP register their interest with specific tracked objects and act when the state of an object changes.

Each tracked object is identified by a unique number that is specified on the tracking CLI. Client processes such as VRRP use this number to track a specific object.

The tracking process periodically polls the tracked objects and notes any change of value. The changes in the tracked object are communicated to interested client processes, either immediately or after a specified delay. The object values are reported as either up or down.
VRRP object tracking gives VRRP access to all the objects available through the tracking process. The tracking process allows you to track individual objects such as a the state of an interface line protocol, state of an IP route, or the reachability of a route.

VRRP provides an interface to the tracking process. Each VRRP group can track multiple objects that may affect the priority of the VRRP device. You specify the object number to be tracked and VRRP is notified of any change to the object. VRRP increments (or decrements) the priority of the virtual device based on the state of the object being tracked.

VRRP Authentication

VRRP ignores unauthenticated VRRP protocol messages. The default authentication type is text authentication.

You can configure VRRP text authentication, authentication using a simple MD5 key string, or MD5 key chains for authentication.

MD5 authentication provides greater security than the alternative plain text authentication scheme. MD5 authentication allows each VRRP group member to use a secret key to generate a keyed MD5 hash of the packet that is part of the outgoing packet. A keyed hash of an incoming packet is generated and if the generated hash does not match the hash within the incoming packet, the packet is ignored.

The key for the MD5 hash can either be given directly in the configuration using a key string or supplied indirectly through a key chain.

A router will ignore incoming VRRP packets from routers that do not have the same authentication configuration for a VRRP group. VRRP has three authentication schemes:
  1. No authentication
  2. Plain text authentication
  3. MD5 authentication

VRRP packets will be rejected in any of the following cases:
  1. The authentication schemes differ on the router and in the incoming packet.
  2. MD5 digests differ on the router and in the incoming packet.
  3. Text authentication strings differ on the router and in the incoming packet.

Customizing VRRP

Customizing the behavior of VRRP is optional. Be aware that as soon as you enable a VRRP group, that group is operating. It is possible that if you first enable a VRRP group before customizing VRRP, the router could take over control of the group and become the virtual router master before you have finished customizing the feature. Therefore, if you plan to customize VRRP, it is a good idea to do so before enabling VRRP.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type number
  4. ip address ip-address mask
  5. vrrp group description text
  6. vrrp group priority level
  7. vrrp group preempt [delay minimum seconds]
  8. vrrp group timers advertise [msec] interval
  9. vrrp group timers learn
  10. exit
  11. no vrrp sso

Enabling VRRP

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type number
  4. ip address ip-address mask
  5. vrrp group ip ip-address [secondary]
  6. end
  7. show vrrp [brief] | group]
  8. show vrrp interface type number [brief]

Disabling a VRRP Group on an Interface

Disabling a VRRP group on an interface allows the protocol to be disabled, but the configuration to be retained. This ability was added with the introduction of the VRRP MIB, RFC 2787, Definitions of Managed Objects for the Virtual Router Redundancy Protocol .

You can use a Simple Network Management Protocol (SNMP) management tool to enable or disable VRRP on an interface. Because of the SNMP management capability, the vrrp shutdown command was introduced to represent a method via the command line interface (CLI) for VRRP to show the state that had been configured using SNMP.

When the show running-config command is entered, you can see immediately if the VRRP group has been configured and set to enabled or disabled. This is the same functionality that is enabled within the MIB.

The no form of the command enables the same operation that is performed within the MIB. If the vrrp shutdown command is specified using the SNMP interface, then entering the no vrrp shutdown command reenables the VRRP group.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type number
  4. ip address ip-address mask
  5. vrrp group shutdown

Configuring VRRP Object Tracking

(Note: If a VRRP group is the IP address owner, its priority is fixed at 255 and cannot be reduced through object tracking.)

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. track object-number interface type number {line-protocol | ip routing}
  4. interface type number
  5. vrrp group ip ip-address
  6. vrrp group priority level
  7. vrrp group track object-number [decrement priority]
  8. end
  9. show track [object-number]

Configuring VRRP MD5 Authentication Using a Key String

(Note:  Interoperability with vendors that may have implemented the RFC 2338 method is not enabled.
Text authentication cannot be combined with MD5 authentication for a VRRP group at any one time. When MD5 authentication is configured, the text authentication field in VRRP hello messages is set to all zeroes on transmit and ignored on receipt, provided the receiving router also has MD5 authentication enabled.)

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type number
  4. ip address ip-address mask [secondary]
  5. vrrp group priority priority
  6. vrrp group authentication md5 key-string [0 | 7] key-string [timeout seconds]
  7. vrrp group ip [ip-address[secondary]]
  8. Repeat Steps 1 through 7 on each router that will communicate.
  9. end

Configuring VRRP MD5 Authentication Using a Key Chain

Perform this task to configure VRRP MD5 authentication using a key chain. Key chains allow a different key string to be used at different times according to the key chain configuration. VRRP will query the appropriate key chain to obtain the current live key and key ID for the specified key chain.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. key chain name-of-chain
  4. key key-id
  5. key-string string
  6. exit
  7. interface type number
  8. ip address ip-address mask [secondary]
  9. vrrp group priority priority
  10. vrrp group authentication md5 key-chain key-chain
  11. vrrp group ip [ip-address[secondary]]
  12. Repeat Steps 1 through 11 on each router that will communicate.
  13. end

Verifying the VRRP MD5 Authentication Configuration

SUMMARY STEPS

  1. show vrrp
  2. debug vrrp authentication

Configuring VRRP Text Authentication

Before You Begin

Interoperability with vendors that may have implemented the RFC 2338 method is not enabled.

Text authentication cannot be combined with MD5 authentication for a VRRP group at any one time. When MD5 authentication is configured, the text authentication field in VRRP hello messages is set to all zeros on transmit and ignored on receipt, provided the receiving router also has MD5 authentication enabled.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. terminal interface type number
  4. ip address ip-address mask [secondary]
  5. vrrp group authentication text text-string
  6. vrrp group ip ip-address
  7. Repeat Steps 1 through 6 on each router that will communicate.
  8. end

Enabling the Router to Send SNMP VRRP Notifications

The VRRP MIB supports SNMP Get operations, which allow network devices to get reports about VRRP groups in a network from the network management station.

Enabling VRRP MIB trap support is performed through the CLI, and the MIB is used for getting the reports. A trap notifies the network management station when a router becomes a Master or backup router. When an entry is configured from the CLI, the RowStatus for that group in the MIB immediately goes to the active state.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. snmp-server enable traps vrrp
  4. snmp-server host host community-string vrrp

VRRP Benefits

  • Redundancy

VRRP enables you to configure multiple routers as the default gateway router, which reduces the possibility of a single point of failure in a network.
  • Load Sharing

You can configure VRRP in such a way that traffic to and from LAN clients can be shared by multiple routers, thereby sharing the traffic load more equitably among available routers.
  • Multiple Virtual Routers

VRRP supports up to 255 virtual routers (VRRP groups) on a router physical interface, subject to the platform supporting multiple MAC addresses. Multiple virtual router support enables you to implement redundancy and load sharing in your LAN topology.
  • Multiple IP Addresses

The virtual router can manage multiple IP addresses, including secondary IP addresses. Therefore, if you have multiple subnets configured on an Ethernet interface, you can configure VRRP on each subnet.
  • Preemption

The redundancy scheme of VRRP enables you to preempt a virtual router backup that has taken over for a failing virtual router master with a higher priority virtual router backup that has become available.
  • Authentication

VRRP message digest 5 (MD5) algorithm authentication protects against VRRP-spoofing software and uses the industry-standard MD5 algorithm for improved reliability and security.

Advertisement Protocol

VRRP uses a dedicated Internet Assigned Numbers Authority (IANA) standard multicast address (224.0.0.18) for VRRP advertisements. This addressing scheme minimizes the number of routers that must service the multicasts and allows test equipment to accurately identify VRRP packets on a segment. The IANA assigned VRRP the IP protocol number 112.

VRRP Object Tracking

VRRP object tracking provides a way to ensure the best VRRP router is the virtual router master for the group by altering VRRP priorities to the status of tracked objects such as the interface or IP route states.

Example for VRRP

VRRP Topology

R1 (config) #int fa0/0
R1 (config-if) #ip add 192.168.101.2 255.255.255.0
R1 (config-if) #no shut
R1 (config-if) #int s0/0
R1 (config-if) #ip add 192.168.1.1 255.255.255.0
R1 (config-if) #no shut
R1 (config) #router ei 100
R1 (config-router) #no auto
R1 (config-router) #network 0.0.0.0

Ho (config) #int fa0/0
Ho (config-if) #ip add 192.168.102.1 255.255.255.0
Ho (config-if) #no shut
Ho (config-if) #int s0/0
Ho (config-if) #ip add 192.168.1.2 255.255.255.0
Ho (config-if) #no shut
Ho (config-if) #int s0/1
Ho (config-if) #ip add 192.168.2.1 255.255.255.0
Ho (config-if) #no shut
Ho (config-if) #router ei 100
Ho (config-router) #no auto
Ho (config-router) #network 0.0.0.0

R2 (config) #int fa0/0
R2 (config-if) #ip add 192.168.101.3 255.255.255.0
R2 (config-if) #no shut
R2 (config-if) #int s0/0
R2 (config-if) #ip add 192.168.2.2 255.255.255.0
R2 (config-if) #no shut
R2 (config-if) #router ei 100
R2 (config-router) #no auto
R2 (config-router) #network 0.0.0.0

Ho #sh ip route

R1#sh ip int br

R2#sh ip int br

Now we will provide the IP add to the PC, which is 192.168.101.10. And computer Gateway would 192.168.101.1.

R1 (config) #int fa0/0
R1 (config-if) #vrrp 1 ip 192.168.101.1

R2 (config) #int fa0/0
R2 (config-if) #vrrp 1 ip 192.168.101.1

Now we can see the R2 will become Master and R1 will go into Backup, because R2s IP address is higher and by default preemption is enabled in VRRP.

Comp# tracert –d 192.168.102.1

Here we can see all the data is going via R2. Because R2 is Master

R2 (config) #int fa0/0
R2 (config-if) #shut

Now R1 will become Master

Comp# tracert –d 192.168.102.1

All the traffic going via R1

R2 (config) #int fa0/0
R2 (config-if) #no shut

Once R2s Fa0/0 comes up, it will become once again Master

R1#sh vrrp

Default Hello timer 1 sec

Hold – 3 sec

Preempt – enabled by default

Default Priority 100
Virtual Mac 0000.5e00.0101

Now if the WAN link goes down

R2 (config) #int s0/0
R2 (config-if) #shut

Comp# tracert –d 192.168.102.1

First data will reach R2 and then R1

R1 will not become master here in case of serial link failure. For that we need to enable Track command.

R2 (config) #int s0/0
R2 (config-if) #no shut
R2 (config-if) #int fa0/0
R2 (config-if) #vrrp 1 track?
R2 (config-if) #exit
R2 (config) #track ?
1 to 500
R2 (config) #track 1 ?
R2 (config) #track 1 int s0/0 ?
R2 (config) #track 1 int s0/0 line protocol
R2 (config) #int fa0/0
R2 (config-if) #vrrp 1 track 1
R2#sh vrrp

Track obj 1 state up decrement 10

Comp# tracert –d 192.168.102.1

Data is going via R2

R2 (config) #int s0/0
R2 (config-if) #shut
R2#sh vrrp

Priority 90
All data will go via R1

Load Balancing

For load balancing we will create one more group

Till now for Group 1, Master is R2
R1 (config) #int fa0/0
R1 (config-if) #vrrp 2 ip 192.168.101.4
R1 (config-if) #vrrp 2 priority 101
R1 (config) # track 1 int s0/0 line protocol
R1 (config) #int fa0/0
R1 (config-if) #vrrp 2 track 1

R2 (config) #int fa0/0
R2 (config-if) #vrrp 2 ip 192.168.101.4
R2#sh vrrp

Group 1 Master, Group 2 Backup

R1#sh vrrp

Group 1 Backup, Group 2 Master

R1 (config) #int s0/0
R1 (config-if) #shut
R2 #sh vrrp
R1 (config) #int s0/0
R1 (config-if) #no shut
R1#sh vrrp


For load balancing if we provide clients default gateway is 192.168.101.1 then the data will go via R2, if we provide clients gateway 192.168.101.4 then data will go via R1.

----
@NetwaxLab
Read more
at
Labels:

1 comment:

Subscribe to: Post Comments (Atom)