In VRRP, a logical grouping of multiple physical routers is created to masquerade as one single device with the use of a "virtual IP" address. This virtual address will act as the gateway interface for end host devices. In this way, if there is a device failure, hosts do not see it. Routers belonging to the same VRRP group share a "virtual Media Access Control" or MAC address as well as an IP address. There is an election process that describes how ownership of the virtual interfaces takes place.
- One router in the VRRP group acts as the master router and has ownership of the virtual MAC and IP address until there is a failure. All routers in the same VRRP group share a group value ranging from 1-255
- A failure causes another router to claim ownership through a combination of a VRRP message and gratuitous Address Resolution Protocol or ARP request.
- Once a router takes ownership and becomes the new master router, it periodically sends out VRRP messages to indicate reachability.
Let's talk a bit more about some of the other properties of our VRRP router...
Configuration for VRRP is done as a logical property in [edit]. First a group value is assigned to all routers participating in the VRRP group. Then, a virtual IP address is assigned that end hosts will see as their default gateway. The VIP could be an address already belonging to a router in the group, or an address available from the LAN segment. Finally, a priority value (100 by default) can bet set to control master router elections.
Note: The router with the highest priority value becomes master for the group. If the priority values are equal, then priority is given to the highest local LAN IP. Also, while priority values range from 0-255, both zero and one are reserved. Priority 0 is "immediate release of mastership role" and 255 is used if the virtual IP is a physical interface owned by that router.
You can also track an interface's priority settings in case of interface failure to ensure reachability to upstream devices. The way this can be accomplished is to subtract a configured value from the advertised priority value.
"Whose fault is it? Default!"
VRRP has "preemption" enabled by default. What this means: Anytime a router has a higher priority value, it becomes the master router. This can cause temporary disruption of the network during the election process. You can use the no-preempt command to control that behavior.
You can show which router is the master router and other operational statistics with the show vrrp summary command.
VRRP issues:
A router that is participating in VRRP should NEVER forward packets address to the virtual IP address or addresses it becomes master for if it is not the owner according to RFC 3768. RFC is short for "Request for Comment." What this means to us is, an address used as the VIP that does not exist as an interface for routers in the VRRP group, like a valid IP address on our LAN segment could cause issues. One of those issues is being unable to ping the virtual IP address. On a Juniper router, you can use the accept-data command to allow a master router to respond to the VIP address. However, a word of caution, accept-data can cause unnecessary traffic on affected LAN segments.
In the next section, we will get our "feet wet" in interface troubleshooting.
No comments:
Post a Comment