EdgeRouter - Virtual Router Redundancy Protocol (VRRP)


Readers will learn how to configure the router for VRRP (Virtual Router Redundancy Protocol) via CLI.

 
Example network diagram before VRRP is implemented.
 

Steps


Configuration

 

The configuration below will use the network diagram shown in the image above.

 

Note: These are the IP addresses of the host and two routers:

  • Host IP address: 192.0.2.50/24
  • R1 IP address: 192.0.2.10/24
  • R2 IP address: 192.0.2.20/24

For the basic VRRP configuration, use the following commands to add a VRRP virtual-address 192.0.2.1/24 to both R1 and R2:

 

R1 Configuration

 

Configure the IP address of R1.

ubnt@R1# set interfaces ethernet eth2 vrrp vrrp-group 100 virtual-address 192.0.2.1/24
ubnt@R1# commit
[edit] 
ubnt@R1# save
Saving configuration to '/config/config.boot'...
Done
[edit] 
ubnt@R1# exit

R2 Configuration

 

Configure the IP address of R2.

ubnt@R2# set interfaces ethernet eth2 vrrp vrrp-group 100 virtual-address 192.0.2.1/24
ubnt@R2# commit
[edit] 
ubnt@R2# save
Saving configuration to '/config/config.boot'...
Done
[edit] 
ubnt@R2# exit

Show Commands

 

  • There are two primary states for an interface, master and backup. To see which router is the master and owns the VIP (Virtual IP) address, use the show vrrp command:
ubnt@R1:~$ show vrrp 
Physical interface: eth2, Source Address 192.0.2.10
  Interface state: up, Group 100, State: master
  Priority: 1, Advertisement interval: 1, Authentication type: none
  Preempt: true, VIP count: 1, VIP: 192.0.2.1/24
  Master router: 192.0.2.10
  Last transition: 22s
              
  • If R1 becomes unavailable, then R2 will take over the virtual address. The host's traffic will go through R2 instead of R1:
ubnt@R2:~$ show vrrp                                                             
Physical interface: eth2, Source Address 192.0.2.20                             
  Interface state: up, Group 100, State: master                                 
  Priority: 1, Advertisement interval: 1, Authentication type: none             
  Preempt: true, VIP count: 1, VIP: 192.0.2.1/24                                
  Master router: 192.0.2.20                                                     
  Last transition: 11s     
  • Use the show log command to display the log messages for the transition from R1 to R2:

 

ubnt@R2:~$ show log Dec 6 12:41:56 R2 Keepalived_vrrp: VRRP_Instance(vyatta-eth2-100) Transition to MASTER STATE Dec 6 12:41:57 R2 Keepalived_vrrp: VRRP_Instance(vyatta-eth2-100) Entering MASTER STATE Dec 6 12:41:57 R2 Keepalived_vrrp: VRRP_Instance(vyatta-eth2-100) setting protocol VIPs. Dec 6 12:41:57 R2 Keepalived_vrrp: VRRP_Instance(vyatta-eth2-100) Sending gratuitous ARPs on eth2 for 192.0.2.1 

 

Debugging Tips

 

  • The most common problem with setting up VRRP is that both sides think they are "master". This typically means that the two sides are not able to "see" each other's hello packets, so they each assume they are master.  Things that can prevent them from seeing each other's vrrp packets:
  1. Firewall local not allowing destination 224.0.0.18.  Add a default-drop rule and check the log for drops.
  2. Some switch don't forward multicast or must be configured to allow multicast.
  3. VRRP configuration miss-match.  If the vrrp group, VIP(s), and authentication don't match then they are not considered in the same group.

Force Transition

 

  • Sometimes you want to force an interface to change its state. For example, when you upgrade the software on the master, you use force transitionto force the master to become the backup and then upgrade the software on the new backup.
ubnt@R2:~$ clear vrrp master interface eth2 group 100                           
Forcing eth2-100 to BACKUP...      
  • Use the show vrrp command to display the status information:
ubnt@R2:~$ show vrrp                                                            
Physical interface: eth2, Source Address 192.0.2.20                             
  Interface state: up, Group 100, State: backup                                 
  Priority: 1, Advertisement interval: 1, Authentication type: none             
  Preempt: true, VIP count: 1, VIP: 192.0.2.1/24                                
  Master router: unknown, Master Priority: unknown                              
  Last transition: 8s

Choose the Master

 

In the aforementioned example, there were no priorities assigned, so VRRP chose the master. Sometimes you want to choose the master, and you can do so by assigning priorities to the routers. The priority value range is from 1 to 254, with the higher value designating higher priority. Use the following commands to assign priority 100 to R1 and priority 50 to R2:

ubnt@R1# set interfaces ethernet eth2 vrrp vrrp-group 100 priority 100
[edit]
ubnt@R1# commit    
[edit]
ubnt@R2# set interfaces ethernet eth2 vrrp vrrp-group 100 priority 50        
[edit]                                                                          
ubnt@R2# commit        

Now R1 will always be the master if the interface is up and working.

 

Preemption

 

There may be situations when the higher-priority router should not re-take mastership when it is ready to do so. In this case we can disable preemption. Use the following commands to disable preemption on R1 and R2:

ubnt@R1# set interfaces ethernet eth2 vrrp vrrp-group 100 preempt false
[edit]
ubnt@R1# commit
[edit]
ubnt@R2# set interfaces ethernet eth2 vrrp vrrp-group 100 preempt false         
[edit]                                                                          
ubnt@R2# commit; save; exit

Authentication

 

We recommend that you use authentication to prevent unauthorized VRRP members from becoming the master. The CLI supports both plain-text andah modes, but plain-text mode offers very little protection, so we recommend ah mode.

ubnt@R1# set interfaces ethernet eth2 vrrp vrrp-group 100 authentication type ah
[edit]
ubnt@R1# set interfaces ethernet eth2 vrrp vrrp-group 100 authentication password mysecret
[edit] 
ubnt@R1# commit
[edit]

Sync Groups

 
 

In this example, we have two VRRP groups:

 

  • VRRP group 100 for interfaces in the 192.0.2.0/24 network
  • VRRP group 200 for interfaces in the 203.0.113.0/24 network

Use the show vrrp summary command to display the details:

ubnt@R1:~$ show vrrp summary 
                VRRP    Addr                    Interface       VRRP            
Interface       Group   Type    Address         State           State           
---------       -----   ----    -------         -----           -----           
eth1            200     vip     203.0.113.1/24  up              master          
eth2            100     vip     192.0.2.1/24    up              master        

If VRRP group 100 transitions the master from R1 to R2, then we probably want VRRP group 200 to also transition from R1 to R2 even if there is nothing wrong. To accomplish this, we can add both VRRP groups to a sync group.

ubnt@R1# set interfaces ethernet eth2 vrrp vrrp-group 100 sync-group Foo
[edit]
ubnt@R1# set interfaces ethernet eth1 vrrp vrrp-group 200 sync-group Foo
[edit] 
ubnt@R1# commit
[edit]

Use the show vrrp command to display the status information:

ubnt@R1:~$ show vrrp 
 Physical interface: eth1, Source Address 203.0.113.10
   Interface state: up, Group 200, State: master
   Priority: 100, Advertisement interval: 1, Authentication type: none
   Preempt: true, VIP count: 1, VIP: 203.0.113.1/24
   Master router: 203.0.113.10
   Sync-group: Foo
   Last transition: 9m5s

 Physical interface: eth2, Source Address 192.0.2.10
   Interface state: up, Group 100, State: master
   Priority: 100, Advertisement interval: 1, Authentication type: none
   Preempt: true, VIP count: 1, VIP: 192.0.2.1/24
   Master router: 192.0.2.10
   Sync-group: Foo
   Last transition: 9m11s

Note: VRRP groups in a sync group should have similar configurations in terms of priority and preemption.  Before enabling a sync-group you should verify that one router is master of both groups and the other is backup of both groups.  If both side think they are master of the same group, then enabling a sync-group can cause endless transitioning to get in sync.

 

Transition Scripts

 

Sometimes there are other actions that we would like to execute when a transition occurs (email an admin, change a route, etc.). A good location to save these scripts is in /config/scripts, so the scripts will be copied when you upgrade the software.

 

Note: The transition scripts must be executable (chmod +x <file>).

 

Use the following command to add a transition script:

 

ubnt@R1# set interfaces ethernet eth2 vrrp vrrp-group 100 run-transition-scripts backup /config/scripts/my_vrrp_script
[edit]
ubnt@R1# commit
[edit]

This example adds a script to execute when the transition goes to backup, but you can also have scripts for master and fault (the fault state occurs if the interface link goes down). When the script(s) are called, they pass three parameters:

 

  • vrrp transition state
  • interface
  • group

Resource

 

A very informative paper on VRRP and its usage is available here: http://www.redbooks.ibm.com/redpapers/pdfs/redp3657.pdf