Tag Archives: RFC 3768

VRRP – start build redundant network

Redundant in the network is critical for service availability. Everyone wanted to have five "9" – 99,999% of available service. In order to get this we are buying expensive equipement, learn how works STP, RSTP, MSTP and other redundant protocols. Often we forget to make redundant obvious things. How many gateways could you configure on the PC? Always one.. You know that gateway is our exit point from the network in the big Internet. So in case this point is failing we are losing our way out.

VRRP is based on the RFC 3768 and RFC 5798. RFC 3768 is already version 2 of VRRP and is only for IPv4. RFC 5798 is already for IPv6 support. You could see that they are pretty new (2004 and 2010 year). To understand very good VRRP you could read RFCs, but I don't know too many people who like text without images :). This is why I decided to create some images and sample which could help you understand how RFC 3768 recommend to implement this standard.

VRRP goal is to provide redundancy for the gateway IP address. We will not change the way how we are configuring default gateway on the PC. So we have to do something on the gateways. VRRP will force routers to talk between them in order to see who owns Virtual IP address. Virtual IP address will be assigned as default gateway on the PCs in our network. Routers will talk via multicast ip address 224.0.0.18.

VRRP has 3 states: Init, Slave and Master. Init state is saying that VRRP is enabled on the Router but for some reason is irrelevant to start communication. For example we have to send VRRP packets via Fa0/0 interface, but this interface is down. VRRP slave means that router at the moment is backup. VRRP Master means that VRRP router owns Virtual IP. Routers have to select VRRP master. They could this based on the VRRP priority. Higher priority is better. We could configure VRRP priority from 1 to 254.

Do you remember that in ethernet LANs we have to encapsulate packets and add IP source, IP destination, Mac Source, MAC destination ? Here we have another interesting thing for VRRP. VRRP enter not only VIrtual IP but also Virtual MAC which will have following format: 00-01-5E-00-01- <GROUP_ID>. Group id value is limited from 1 to 255 (from 01 until FF in hex). Virtual IP and VIrtual MAC will be used only for the traffic which is going through routers, all other traffic will use Physical MAC and physical IP. Let's see the sample how ill work ARP protocol with VRRP:

We must have same values for 3 parameters on both routers:

  • Group ID
  • Group IP address
  • Advertisement interval

What for we need advertisement interval and how fast backup router will become VRRP master in case of failure? Here is the formula: 3*Adv.timer + skew time. Skew time formula = (256-Priority)/ 256. Skew time goal is to add time required for the message propagation in the LAN. So in case we have advertisement timer 1 sec, switchover will be done in maximum = 3*1 + (256-100)/256= 3.6 s. Pretty good result. We could decrease this value under 1 sec. I will not recommend to do that for beginners. VRRP is working with other protocol in the networks and adjustments in this area could create another issues for other protocols. 

Who is the VRRP Master?

VRRP master is router with biggest priority when VRRP preemption is enabled on all routers. Let's see one example:

When our Routers are up VRRP Master will be always R2. When R2 is down or link between R2 and switch is down VRRP master will be R1. Simple until now.

Let's suppose that we have network with big fluctuations. Routers are going down often. VRRP switchover is too often and sometimes without any reason. Let's suppose that R2 has preemption on and he is rebooting each 5 minutes. Our default gateway will go up/down every 5 minutes. R1 at the same time is stable and ok. For this case we could configure VRRP preemption off on R2. When R2 will go up after reboot he will stay in the VRRP Slave state. He lost Master state and the only way to recover it is to shutdown R1.

When our Routers are up VRRP Master will be always R2. When R2 is down or link between R2 and switch is down VRRP master will be R1. Simple until now.

Let's suppose that we have network with big fluctuations. Routers are going down often. VRRP switchover is too often and sometimes without any reason. Let's suppose that R2 has preemption on and he is reabooting each 5 minutes. Our default gateway will go up/down every 5 minutes. R1 at the same time is stable and ok. For this case we could configure VRRP preemption off on R2. When R2 will go up after reboot he will stay in the VRRP Slave state. He lost Master state and the only way to recover it is to shutdown R1.

VRRP Priority 0 and 255

RFC 3768 reserved VRRP priority 0 and 255 for two special cases. R2 is VRRP master for the network. Based on some events R2 decided to leave VRRP Master role. So he will send VRRP priority 0 which means that backup Router has to become VRRP Master immediately.

VRRP allows us to configure the same ip address for the Virtual IP and physical only one one router in the network. In this case Router where we configured the same IP address for the VIP will send VRRP packets with priority 255.

Decrease VRRP priority in some conditions

Last thing what I want to say about VRRP is related to dynamic priority. Network developers decided to adjust VRRP priority based on some important metrics. For example R2 router will monitor link to the ISP and will decrease VRRP priority when this link is down. More than that you could use Cisco IP SLA (when you have Cisco equipment) and monitor quality of the link (delay, drops…). Quality will be trigger for value of VRRP priority in your case.

In the network with big numbers of VLANs it is recommended to balance VRRP master roles between R1 and R2. For Example R1 is VRRP master for VLAN 10,20 and 30, when R2 is VRRP Master for VLAN 15 and 25. In this way you will use all links in your network. VRRP has to work very close with protocols like ARP, Proxy-ARP and STP. When you set VRRP on L3 switches and have redundant links you have to think how traffic will flow through network at the L2 and L3. In other case suboptimal routing will deprecate al benefits of protocols. STP and VRRP timers also have to be synced and this is why I recommended you not to change default timers.

During the switchover from one VRRP router to another, new master will send gratuitous ARP and announce him as new owner of the IP. This will converge network faster.

Links:

  1. https://www.ietf.org/rfc/rfc3768.txt
  2. https://tools.ietf.org/html/rfc5798