|
|
|
![[NOTE: ]](images/note.gif) |
In the 3500yl, 3800, 5400zl, 6600, and 8200zl switches, VRRP is included with the Premium License. In the 6200yl switches, this feature is included with the base feature set. |
|
|
VRRP supports router redundancy through a prioritized election process among routers configured as members of the same virtual router (VR.)
On a given VLAN, a VR includes two or more member routers configured with a VIP that is also configured as a real IP address on one of the routers, plus a virtual router MAC address. The router that owns the IP address is configured to operate as the owner of the VR for traffic-forwarding purposes and by default has the highest VRRP priority in the VR. The other routers in the VR have a lower priority and are configured to operate as backups in case the owner router becomes unavailable.
The owner normally operates as the master for a VR. But if it becomes unavailable, then a failover to a backup router belonging to the same VR occurs, and this backup becomes the current master. If the owner recovers, a failback occurs and "master" status reverts to the owner. (Using more than one backup provides additional redundancy" if both the owner and the highest-priority backup fail, another, lower-priority backup can take over as master.)
Example of using VRRP to provide redundant network access shows a VR on VLAN 100 supported by Router 1 (R1) and Router 2 (R2.)
| VR parameter | Router 1 VR configuration | Router 2 VR configuration | Operation |
|---|---|---|---|
| VRID (Virtual Router ID) | 1 | 1 | All routers in the same VR have the same VRID. |
| Status | owner | backup | One owner and one or more backups are allowed in a given VR. |
| Virtual IP Address | 10.10.100.1 | 10.10.100.1 | The IP address configured for VLAN 100 in R1 (the owner) is also configured as the VIP for VRRP in both R1 and R2. |
| VR Source MAC Address | 00-00-5E-00-01-01 | For any VR in any VLAN, this is always defined as 00-00-5E-00-01-VRID and is not configurable. |
|
| Priority | 255 (Default) | 100 (Default) | The router configured as owner in any VR is automatically assigned the highest priority (255.) backup routers are assigned a default priority of 100, which can be reconfigured. |
In Example of using VRRP to provide redundant network access:
-
Host "A" uses 10.10.100.1 as its next-hop gateway out of the subnet, as represented by the VR (VR 1.)
-
Router 1 (the configured owner) advertises itself as the master in the VR supporting the gateway and:
-
"Owns" the VR's (virtual) IP address
-
Transmits ARP responses that associate the VR's VIP with the (shared) source MAC address for VR 1.
-
-
During normal operation, Router 1 forwards the routed traffic for host "A."
-
-
If Router 1 fails or otherwise becomes unavailable:
-
Router 1 advertisements of its master status for VR 1 fail to reach Router 2 (which is the only configured backup.)
-
After the time-out period for receiving master advertisements expires on Router 2, the VR initiates a failover to Router 2 and it becomes the new master of the VR.
-
Router 2 advertises itself as the master of the VR supporting the gateway and:
-
Takes control of the VR's (virtual) IP address
-
Begins transmitting ARP responses that associate the VR's VIP with the (shared) source MAC address for VR 1
-
-
Host "A" routed traffic then moves through Router 2.
-
-
If Router 1 again becomes available:
-
Router 1 resumes advertising itself as the master for the VR and sends ARP responses that associate the VR's VIP with the (shared) source MAC address for VR 1.
-
Router 2 receives the advertisement from Router 1 and ceases to operate as the VR's master, and halts further transmission of its own VRRP advertisements and ARP responses related to VR 1.
-
The VR executes a failback to Router 1 as master, and Host "A" traffic again moves through Router 1.
-
A VR instance consists of one owner router and one or more backup routers belonging to the same network. Any VR instance exists within a specific VLAN, and all members of a given VR must belong to the same subnet. In a multinetted VLAN, multiple VRs can be configured. The owner operates as the VR's master unless it becomes unavailable, in which case the highest-priority backup becomes the VR's master.
-
VR identification (VRID) configured on all VRRP routers in the same network or, in the case of a multinetted VLAN, on all routers in the same subnet .
-
Same VIP configured on each instance of the same VR.
-
Satus of either owner or backup configured on each instance of the same VR (on a given VR, there can be one owner and one or more backups.)
-
Priority level configured on each instance of the VR (on the owner router the highest priority setting, 255, is automatically fixed; on backups, the default priority setting is 100 and is configurable.)
-
VR MAC address (not configurable.)
Where a VLAN is configured with only one network (IP address), one VR is allowed in that VLAN. In a multinetted VLAN, there can be one VR per subnet, with a maximum of 32 VRs in any combination of masters and backups.
|
|
|
|
|
NOTE: All routers in a given VR must belong to the same network (or subnet, in the case of a multinetted VLAN.) |
|
|
The VIP associated with a VR must be a real IP address already configured in the associated VLAN interface on the owner router in the VR. If the VIP is an IPv6 address, a link-local address must be configured before adding a global IPv6 address. Also, the owner and all other (backup) routers belonging to the VR have this IP address configured in their VRID contexts as the VIP. In Example of using VRRP to provide redundant network access, 10.10.100.1 is a real IP address configured on VLAN 100 in Router 1 and is the VIP associated with VR 1.
If the configured owner in a VR becomes unavailable, it is no longer the master for the VR and a backup router in the VR is elected to assume the role of master, as described under Backup router.
A subnetted VLAN allows multiple VIPs. However, if there are 32 or fewer IP addresses in a VLAN interface, and you want VRRP support on multiple subnets, the recommended approach is to configure a separate VR instance for each IP address in the VLAN. In cases where VRRP support is needed for more than 32 IP addresses in the same VLAN.
The current master router in a VR operates as the "real" or physical gateway router for the network or subnet for which a VIP is configured.
Selection of the master is controlled by the VRRP priority value configured in the VRID context of each router in the VR. The router configured as the owner in the VR is automatically assigned the highest VRRP priority (255) and, as long as it remains available, operates as the master router for the VR. The other routers belonging to the VR as backups are assigned the default priority value (100) and can be reconfigured to any priority value between 1 and 254, inclusive. If the current master becomes unavailable, the protocol uses the priority values configured on the other, available routers in the VR to select another router in the VR to take over the master function.
The current master router sends periodic advertisements to inform the other routers in the VR of its operational status. If the backup VRs fail to receive a master advertisement within the timeout interval, the current master is assumed to be unavailable and a new master is elected from the existing backups. The timeout interval for a VR is three times the advertisement interval configured on the VRs in the network or subnet. In the default VRRP configuration, the advertisement interval is one second and the resulting timeout interval is three seconds.
|
|
|
|
|
NOTE: All VRRP routers belonging to the same VR must be configured with the same advertisement interval. As required in RFC 3768, if a locally configured advertisement interval does not match the interval received in an inbound VRRP packet, the VR drops that packet. |
|
|
Most IPv6 host configurations learn the default gateway IPv6 address using router advertisements. The VR that becomes the master sends router advertisements for its virtual IP address.
An owner router for a VR is the default master router for the VR and operates as the owner for all subnets included in the VR. The VRRP priority on an owner router is always 255 (the highest.)
|
|
|
|
|
NOTE: On a multinetted VLAN where multiple subnets are configured in the same VR, the router must be either the owner for all subnets in the VR or a backup for all subnets in the VR. |
|
|
There must be at least one backup router. A given VR instance on a backup router must be configured with the same VIP as the owner for that VR (and both routers must belong to the same network or subnet.) Router 2 in Example of using VRRP to provide redundant network access illustrates this point.
In a backup router's VR configuration, the virtual router priority defaults to 100. (The priority for the configured owner is automatically set to the highest value: 255.) In a VR where there are two or more backup routers, the priority settings can be reconfigured to define the order in which backups are reassigned as master in the event of a failover from the owner.
Where multiple backup routers exist in a VR, if the current master fails and the highest-priority backup is not available, VRRP selects the next-highest priority backup to operate as master. If the highest-priority backup later becomes available, it preempts the lower-priority backup and takes over the master function. If you do not want a backup router to have this preemptive ability on a particular VR, you can disable this operation with the no preempt-mode command. (Preempt mode applies only to VRRP routers configured as backups.)
When a VR instance is configured, the protocol automatically assigns a MAC address based on the standard MAC prefix for VRRP packets, plus the VRID number (as described in RFC 3768.) The first five octets form the standard MAC prefix for VRRP, and the last octet is the configured VRID. that is:
For example, the virtual router MAC address for the VR in Example of using VRRP to provide redundant network access is 00-00-5E-00-01-01.
The master for a given VR responds to ARP requests for the VIPs with the VR's assigned MAC address. The virtual MAC address is also used as the source MAC address for the periodic advertisements sent by the current master.
The VRRP router responds to ARP requests for non-VIPs (IP addresses on a VLAN interface that are not configured as VIPs for any VR on that VLAN) with the system MAC address.
Neighbor Discovery (ND) is the IPv6 equivalent of the IPv4 ARP for layer 2 address resolution, and uses IPv6 ICMP messages to do the following:
Neighbor Discovery enables functions such as the following:
An instance of Neighbor Discovery is triggered on a device when a new or changed IPv6 address is detected. VRRPv3 provides a faster failover to a backup router by not using standard ND procedures. A failover to a backup router can occur in approximately three seconds without any interaction with hosts and with a minimum of VRRPv3 traffic.
Duplicate Address Detection verifies that a configured unicast IPv6 address is unique before it is assigned to a VLAN interface. When the owner router fails, the backup VRRP router assumes the master role. When the owner router becomes operational, DAD will fail as there is a backup VRRP router in the master role that responds to the DAD request. To avoid this, virtual routers that are in owner mode (priority = 255) will not send DAD requests for the VLAN interface on which the owner VR is configured.
|
|
|
|
|
NOTE: The VIP configured for one VR cannot be configured on another VR. |
|
|
-
Before changing a router from owner to backup, or the reverse, the VIP must be removed from the configuration.
-
The priority configuration on an owner can be only 255. The priority configuration on a backup must be 254 or lower, the default being 100.
-
A VR exists within a single VLAN interface. If the VLAN ismultinetted, a separate VR can be configured within the VLAN for each subnet. A VLAN allows up to 32 VRs, and the switch allows up to 2048 VRs.
-
All routers in the same VR must belong to the same network or subnet.
-
Each VR uses one MAC address as described under Virtual router MAC address.
-
If an IP address is deleted on a VLAN interface, one of the following occurs:
If the deleted VIP was the last VIP of an active VR, the VR will be deactivated. (For more on multiple, VIPs on a VR, see Associating more than one VIP with a VR.
-
The VRRP backup router can respond to ping requests when the
virtual-ip-pingfeature is enabled. For more information, see Pinging the virtual IP of a backup router.