Three articles: keppalived's blog

Vrrp Protocol Introduction

 

Reference: RFC 3768

1. Preface

Vrrp (virtual router redundancy protocol) protocol is used to implement router redundancy. The latest protocol is defined in rfc3768. The original definition rfc2338 is abolished, and the new Protocol also simplifies some features.

2. protocol description

2.1 Protocol

Vrrp is a master-slave protocol designed to eliminate network failures caused by a single point of failure on the default router in a static default routing environment, in this way, device function switching in case of a fault does not affect internal and external data communication, and you do not need to modify the network parameters of the internal network. Vrrp must have IP address backup, preferred routing, and unnecessary inter-router communication.

Vrrp virtualizes two or more router devices into one device and provides one or more vroip IP addresses, if the router that actually owns the external IP address works normally, it is the master node, or it is generated through algorithm election. The master node implements various network functions for the virtual router IP address, such as ARP requests, ICMP, and data forwarding. Other devices do not have this IP address and the status is backup. In addition to receiving vrrp status notifications from the master, they do not perform external network functions. When the host fails, backup takes over the network function of the original master.

When you configure the vrrp protocol, you must configure the vroid ID (vrid) and priority value for each vro. vrouters with the same vrid value are grouped by vrid, vrid is a 0 ~ A positive integer of 255. routers in the same group use the priority value to elect the master. The priority is master, and the priority is also 0 ~ A positive integer of 255.

Vrrp uses multicast data to transmit vrrp data. vrrp uses a special virtual source MAC address to send data instead of the MAC address of the network adapter, when vrrp is running, only the master router regularly sends vrrp notification information, indicating that the master is working normally and the vro IP (Group). Backup only receives vrrp data and does not send data, if you do not receive the notice from the master within a certain period of time, each backup node will declare itself as the master node, send the notice information, and re-execute the master node election status.

2.2 master election
If the IP address of the external vro is the IP address configured by the vro itself, the vro will always be a master;
Otherwise, if the virtual IP address is not available, the master will be elected, and each vro will declare itself as a master and send vrrp announcement information;
If the priority of the notification information sent from other machines is higher than the priority of the user, it will be returned to the backup status;
If the priority is equal, the actual IP address of the router is compared, and the priority of the IP address is higher than that of the router;
However, if the IP address of the external vro is the IP address of the vro itself, the vro will always be the master, and the priority value is 255.

2.3 Protocol state machine

The vrrp protocol has three statuses: initialization, host, and backup machine.

2. + --------------- +
4. + ---------> | <------------- +
6. | Initialize |
8. | + ------ | ---------- + |
10. | + ------------- + |
12. |
14. | V v |
16. + --------------- ++ --------------- +
18. | ----------------------> |
20. | Master | Backup |
22. | <---------------------- |
24. + --------------- ++ --------------- +

Copy code

Initialization:
When a vro is started, if the priority of the vro is 255 (the highest priority is that the vro has a vro address), The vrrp notification information should be sent, send the broadcast ARP information notice that the MAC address corresponding to the vro IP address is the virtual MAC address of the route, set the Notification Information timer, and regularly send the vrrp notification information to the master status;
Otherwise, the system enters the backup status and sets the timer to check whether the master has received the notification.

Host:
The router in the host status must complete the following functions:
Set the timed notification timer;
Use vrrp to respond to ARP requests from vro IP addresses;
Forward packets whose destination MAC is vrrp virtual Mac;
If it is the owner of the vroip IP address, the packet whose destination address is the vroip IP address will be accepted; otherwise, the packet will be discarded;
When a shutdown event is received, the scheduled notification timer is deleted, and a notification packet with a priority of 0 is sent to the initialization status;
If the scheduled notification timer times out, the vrrp notification is sent;
When the vrrp notification is received, if the priority is 0, the vrrp notification is sent; otherwise, the system checks whether the priority of the data is higher than the local machine or equal, and the actual IP address is greater than the local real IP address, and sets the timed notification timer, reset the host timeout timer to the backup status; otherwise, discard the notification package;

SLAVE:
Vrouters in the standby State must implement the following functions:
Sets the host timeout timer;
Cannot respond to ARP request information for the vro IP address;
Discard all packets whose destination MAC address is the MAC address of the virtual router;
Do not accept all data packets destined for the vroip IP address;
When a shutdown event is received, the host timeout timer is deleted and changed to the initialization status;
When the host time-out timer times out, it sends vrrp Notification Information, broadcasts ARP Address information, and switches to master status;
When the vrrp notification is received, if the priority is 0, it indicates that the master is selected; otherwise, it determines whether the priority of the data is higher than that of the local machine. If the priority is high, it indicates that the master is valid and the reset host timed out timer; otherwise, discard the announcement package;

2.4 ARP Query Processing

When the internal host queries the MAC address corresponding to the vro IP address through ARP, the MAC address replied by the master router is the MAC address of the virtual vrrp, instead of the MAC address of the actual Nic, in this way, the Intranet machine is not aware of the vro switching. When the vro is restarted, the actual MAC address of the local Nic cannot be actively sent. If the ARP proxy (proxy_arp) function is enabled on the vro, the proxy's ARP response also responds to the vrrp virtual MAC address;

2.5 vrrp application example

2. + ----------- ++ ----------- +
4. | Rtr1 | rtr2 |
6. | (Mr vrid = 1) | (BR vrid = 1) |
8. | (BR vrid = 2) | (Mr vrid = 2) |
10. Vrid = 1 + ----------- ++ ----------- + vrid = 2
12. Ip a ----------> ** <---------- IP B
14. |
16. |
18. ------------------ + ------------ + ----- + -------- + --
20. ^
22. |
24. (Ip A) (ip B)
26. |
28. + -- ++ -- +
30. | H1 | H2 | H3 | H4 |
32. + ----- ++ -- + -- ++ -- +
34. Legend:
36. --- + -- = Ethernet, Token Ring, or FDDI
38. H = Host Computer
40. Mr = Master Router
42. BR = backup router
44. * = IP Address
46. (IP) = default router for hosts

Copy code

This is the general vrrp topology. The two routers run vrrp to back up each other. vro1 1 serves as the master of vrid group 1, and the backup of IP address a and vrid Group 2, vro2 2 acts as the backup of the master, IP address B, and vrid group 1 in vrid group 2. The default gateway address of some machines in the internal network is IP address a, and part of the default gateway address is IP address B, under normal circumstances, data with a as the gateway will go through router 1, and data with B as the gateway will go through router 2. If a router fails, all data will go through another router.

3. Protocol definition

3.1 Ethernet

The source MAC address must be a virtual MAC address: 00-00-5e-00-01 -{Vrid}. Vrid is the vroid id value in hexadecimal format. Therefore, up to 255 vrrp routers are deployed in the same network segment. The target Mac is a multicast MAC.

Vrid is very important.


3.2 IP header Parameters

The source address of the vrrp package is the local address. The destination address must be 224.0.0.18, which is a multicast address; the IP protocol number is 112; and the TTL value of the IP package must be 255.

3.3 vrrp protocol data format

2. 0 1 2 3
4. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 4 5 6 7 8 9 0 1
6. +- +-+
8. | Version | type | virtual rtr id | priority | count IP addrs |
10. +- +-+
12. | Auth type | adver int | checksum |
14. +- +-+
16. | IP address (1) |
18. +- +-+
20. |. |
22. |. |
24. |. |
26. +- +-+
28. | IP address (n) |
30. +- +-+
32. | Authentication data (1) |
34. +- +-+
36. | Authentication data (2) |
38. +- +-+

Copy code

Where:
Version: version, 4-digit, defined as 2 in rfc3768;
Type: type, 4 bits. Currently, only one type is defined: advertised data; Value: 1;
Virtual rtr id: vro ID, 8-bit
Priority: priority. It is 8-bit. The priority of devices with redundant IP addresses is 255;
Count IP addrs: number of IP addresses in the vrrp package, 8 bits;
Auth type: indicates the authentication type, which is 8-bit. The authentication function in rfc3768 has been canceled. The value of this field is defined as 0 (not authenticated) and is 1 or 2 compatible with the old version;
Adver INT: The sending interval of the notification packet, which is 8 bits. The unit is seconds. The default value is 1 s;
Checksum: Checksum, which is a 16-bit verification data. The verification data range is only vrrp data, that is, data starting from the vrrp version field, excluding the IP address header;
IP address (es): the IP address related to the vro. The number of IP addresses is determined by Count IP addrs.
Authentication data: this field is defined in rfc3768 only for compatibility with earlier versions and must be set to 0.

3.4 check required when receiving data

When a vrrp packet is received, perform the following verification. packets that do not meet the verification requirements are discarded:
-TTL must be 255;
-The vrrp version must be 2;
-The data fields in a package must be complete;
-The Checksum must be correct;
-You must verify that the vrid value is configured on the received Nic, and the local router is not the owner of the Route IP address.
-The vvrp authentication type must be consistent with the configuration;


4. Conclusion

Vrrp implements the router IP address redundancy function to prevent network failures caused by spof. vrrp itself is in the form of Hot Standby, but vrouters can be balanced through hot standby, the new version of vrrp simplifies authentication and does not actually perform data authentication. This is because authentication is often used by multiple masters in actual applications.

 

 

Keepalived Principles and Practices

Http://bbs.nanjimao.com/thread-845-1-1.html

 

 

Keepalived Case 1: keepalived dual-machine Hot Standby (HA)

Http://bbs.nanjimao.com/thread-855-1-1.html

 

Three articles: keppalived's blog