1. Create background and application environment
1.1 Why use VRRP
VRRP (Virtual Router redundancy Protocol)------The redundancy protocol for the VPN router, the latest technical standard is RFC3768.
Why use VRRP, mainly in order to achieve the data Link layer Interoperability equipment redundancy backup function, we look at figure one:
Figure One (General network architecture)
As can be seen from the above figure, the general LAN is usually a plurality of terminals to the switch, and then connected to the Internet through a separate egress router, when the problem comes, if the export router is broken, then the entire upstream traffic will be all broken off, this is the legendary single point of failure.
So we want to avoid this situation, in the idea of redundant backup, we have the above network of physical modification, as shown below:
Figure II (General network architecture that eliminates a single point of failure)
Now, there are two internet exits in this network, so any egress router failure will not cause the end user's upstream traffic to break down.
Another problem arises, how do we let the terminal pc know that there are two egress routers in the LAN, and automatically choose another one after a failure. possible scenarios include having the terminal PC run dynamic routing protocols such as RIP, OSPF, or ICMP router Discovery client (DISC), or specifying a static default route.
However, these three implementations have their disadvantages and are not feasible, let us specifically analyze. First, it is almost impossible to run the dynamic routing protocol on each terminal PC, which involves the technical capability of network management and the daily maintenance, security issues, and some terminal platforms do not support dynamic routing protocols, such as our common XP, Windows7 are not supported, and windows Server-series OS support.
Assuming that we have a dynamic routing protocol deployed on a terminal PC, each end user will encounter the following scenario:
10086: Dear user Hello, declare rip fault please press 1, reporting OSPF failure please press 2, declare ISIS fault please press 3 ....
User: (⊙o⊙) Ah. My home is OSPF, press 2.
10086: Hello, the fault you declared is OSPF, please select further, OSPF neighbor cannot be established please press the 1,OSPF key wrong please press 2, link state database exception please press 3, routing table error please press 4 ...
User: (⊙o⊙) Ah. ............... And then spit blood to death ....
Therefore, it is not feasible to deploy dynamic routing protocol on the terminal PC because of the N-realistic problems and difficulties.
So for neighbor or router discovery protocols such as deploying disc on a terminal PC. There are also various problems, such as the existence of a large number of hosts in the network, each need to run disc, in addition to increasing the host's processing burden, it will also lead to slow protocol convergence, so that can not be found in a timely manner neighbor routers, the generation of routed black holes, which is unacceptable.
Now only on the terminal PC to configure the static default route (its specific form is generally set gateway), which is almost every IP platform support configuration features, even an IP phone, according to this idea, we configure multiple default gateways on the terminal to achieve the route backup, but there are the following two issues:
1. For a downstream device that is a PC, after configuring multiple default gateways, one of them acts as the active default
Gateway, the other as the default gateway for backup, which performs traffic forwarding and failure gateway detection in the following procedure:
When TCP/IP communicates TCP traffic to a destination IP address through the active default gateway, if the number of failed attempts reaches the TcpMaxDataRetransmissions registry value (which is 5 by default), half (that is, 3 times) has not received a response, tcp/ IP changes the traffic that arrives at that destination IP address to use the next default gateway in the list, which is done by changing the route cache entry for the remote IP address (route Entry,rce) to use the next default gateway in the list as the next-hop address. Where Rce is an entry in the routing table that stores the next hop IP address of the destination. When more than 25% of TCP connections move to the next default gateway, TCP/IP modifies the active default gateway to the default gateway currently used by these connections.
If the original default gateway replies from a failure at this point, TCP/IP will continue to use the current active default gateway and will not be transferred to the original default gateway unless the computer is restarted. If the current active default gateway also fails, TCP/IP continues to attempt to use the next default gateway in the list, returning to the beginning of the list after the entire list has been tried, and starting with the first default gateway.
Dead gateway detection monitors only TCP traffic and does not switch the default gateway if other types of traffic fail. In addition, TCP is an end-to-end protocol, so even if the current default gateway is fully functional, the local computer's TCP communication failure may also cause the default gateway to be switched.
When there is no connectivity between the networks to which the different network interfaces are connected (such as when a network interface is connected to the Internet and a network interface is connected to the internal network), if the default gateway is configured at the same time on multiple network interfaces, a connectivity failure can occur when the active default gateway fails to cause the default gateway to be switched. For example, if the active default gateway is an Internet connection and the default network is concerned with an internal connection when it is having problems, the local computer will no longer be able to access hosts on the Internet connection. In this case, Microsoft recommends using route add to add a matching route to the destination network instead of setting up multiple default gateways, which is actually the longest matching principle, and the exact route takes precedence over the default route.
2. For a downstream device that is a router, it does not switch the default route and will only follow the configured default
Route priority for traffic forwarding, which leads to the routing of black holes.
In combination with the above two reasons, it is not feasible to configure the default route on the downstream device of the network egress router.
To sum up, to eliminate the single point of failure, but also to achieve the downstream equipment in the event of a failure of traffic barrier-free
Forwarding, the above three methods are not feasible, so people have developed a new protocol: VRRP, which
Protocol requires no downstream device to interoperate with the egress router, but it fully realizes the redundancy of the network export
Remainder, in the next section, we will discuss in detail the basic principles and implementation process of VRRP.
2.VRRP Fundamentals and implementation process 2.1 Basic Concepts
VRRP Router: A router that runs one or more instances of the VRRP protocol
Virtual Router: consists of a master router and multiple backup routers. Where either the master router or the backup router is a VRRP router, the downstream device considers the virtual router as the default gateway.
Vrid: The virtual router identity, in the same VRRP group of routers must have the same vrid, in fact, Vrid is the equivalent of a company name, each employee introduced himself to include the company name, that he is a member of the company, the same reason, Vrid indicates that the router belongs to this VRRP group.
Master routers: routers in a virtual router that assume traffic forwarding tasks
Backup router: A router that can work in place of the master router when the master router in a virtual router fails
Virtual IP Address: The IP address of the virtual router, a virtual router can have one or more virtual IP addresses.
IP Address owner: the router that has the same IP address as the interface IP and the virtual router is called the IP address owner.
Primary IP Address: Select from the IP address set by the physical interface, one selection rule is always choose the first IP address, the VRRP advertisement message always uses the primary IP address as the source IP of the packet IP header.
Virtual MAC Address: the composition is 00-00-5e-00-01-{vrid}, the first three bytes 00-00-5e is allocated by the IANA organization, the next two byte 00-01 is specified for VRRP protocol, the last Vrid is the virtual router identity, Value range [1,255] 2.2 message composition
Here we look at the specific composition of the VRRP message:
Figure III (VRRP message format, taken from RFC3768)
Specific field meaning:
Version: VRRP protocol version number, RFC3768 defines version 2.
Type : This field indicates the types of VRRP messages, RFC3768 only defines one VRRP message, which is
VRRP notification message, so this field is always set to 1, if the received VRRP notification message has a non-1 type
Value, then it is discarded.
virtual Rtr ID: The Vrid we have described above, a vrid uniquely identifies a virtual
Router, the value range is [1,255], so the interface of a router can run up to 255 VRRP at a time
instance, this field has no default value and must be artificially set.
Priority : in a virtual router to select the master router and the backup router, the higher the value indicates the higher the priority, this field has 8 bit, the value range [1,254], if no one is specified, the default value is 100. Where the VRRP protocol will always set the field of the IP address owner router to 255, and if the person is specified as a different value, it will not affect the default behavior of the VRRP protocol, that is, the IP address owner's router is always 255. In addition, this field is set to 0 will appear in the following scenario, when the master router fails, it will immediately send a priority 0 VRRP notification message, when the backup router receives this notification message, will wait for skew time, Then switch yourself to the master router, where skew time= (the priority of the 256-backup router)/256, in seconds, for example, if the backup router has a priority of 100, then skew time=156/256=0.609 seconds, Skew time does not make sense for the primary router, although Cisco routers are also calculated and displayed.
count IP Addrs: VRRP The number of IP addresses included in the advertised message, which is actually the number of IP addresses assigned to a VRRP virtual router, let's look at a Cisco practical example:
The configuration is as follows:
Interface ethernet1/0
IP address 192.168.10.102 255.255.255.0
Duplex half
VRRP 1 IP 192.168.10.52
VRRP 1 IP 192.168.10.51 Secondary
VRRP 1 IP 192.168.10.53 Secondary
End
Let's take a look at how the above configuration works when encapsulated into a VRRP notification message, as follows
Figure:
Figure Four (packet capture analysis of the VRRP message)
As you can see, the value of the Count IP Addrs field in the VRRP notification message is 3 because we have 3 virtual IP addresses configured, and the following IP address fields are encapsulated in the order in which we configured the virtual IP.
Auth Type: Authentication Type field, is a 8-bit unsigned integer, a virtual router can only use one authentication type, if the backup router receives a notification message in the authentication Type field is unknown or does not match the local configuration, then it discards the packet.
Notably, there are 3 authentication types defined for VRRP in RFC2338: No authentication, clear-text authentication, MD5 authentication, but in the follow-up practice it is found that these methods fail to provide effective security and also cause problems with multiple master routers, So in the latest VRRP standard: RFC3768, all the authentication types have been removed.
The current authentication Type field is defined as follows:
0– is not certified, the following Authentication data field will be set to full 0, and the received router will ignore this field.
---is reserved for compatibility with a previous version of RFC2338
The reservation is to provide compatibility for a previous version of RFC2338
adver Int:: This field specifies the time interval, in seconds, that the Mater router sends a VRRP advertisement message, and the value range is [1,255], if not manually configured, the default is 1 seconds.
Checksum: The checksum of the entire VRRP message, the Checksum field is set to 0 during the calculation, and the result is filled in this field when the calculation is complete. If you want to learn more about checksum's calculations, you can view RFC1071 (CKSM).
IP Address: This field holds the virtual IP addresses of 3 VRRP virtual routers, several packages are configured, and in the Cisco instance above we configured three, then the VRRP notification message will be encapsulated 3.
Authentication Data: In RFC3768, this field is only intended to be compatible with RFC2338, and in the actual encapsulation, it is all 0. The receiver also ignores this field. 2.3 Protocol state Machine
for a VRRP virtual router, every VRRP router that participates in it has only 3 VRRP states: Initialize,master,backup, when it comes to these three states, it encounters some new concepts, We will explain in detail the first time we meet. 2.3.1 Initial State (Initialize)
This is the state when VRRP waits for a start event when VRRP is configured, and when the local VRRP process switches to this state, the following actions are performed :
2.3.1.1 if the local priority is 255, which means that you are the IP owner router, then it will:
1. Sending VRRP notification messages
2. Broadcast free ARP Request message, internal package is virtual Mac and virtual IP corresponding, there are several virtual IP addresses, then send a few free ARP request messages.
3. Start a adver_timer timer with an initial value of Advertisement_interval (the default is 1 seconds), and when the timer expires, the next VRRP notification message is sent
4. The local VRRP process switches itself to the master router
2.3.1.2 if the local priority is not 255, then it will:
1. Set Master_down_timer timer equals Master_down_interval, that is, when the primary router dies
Interval, if this timer times out, then the backup router will announce that the primary router is dead.
where Master_down_interval = (3*advertisement_interval) + Skew_time For example, a VRRP instance (i.e. a VRRP virtual device) has a priority of 100, the message is sent
The interval is 1 seconds, then Master_down_interval = 3*1s + (256-100)/256s = 3.609 seconds.
2. The local VRRP process switches itself to the backup router 2.3.2 back up router status (backup)
2.3.2.1
The backup router is designed to monitor the state of the master router, and if a VRRP router is in this state, it will:
1. Do not respond to ARP Request messages for virtual IP addresses
2. The MAC address of the discarded frame leader is the frame of the virtual Mac
3. IP packets with the destination IP address in the IP header as the virtual IP
2.3.2.2
If the VRRP router receives a shutdown event at this point, it will:
1. Cancel Master_down_timer
2. Convert to initial (Initialize state)
2.3.2.3
If the Master_down_timer times out, then the VRRP router executes:
1. Send a VRRP notification message,
2. Broadcast free ARP Request message, internal package is virtual Mac and virtual IP corresponding, there are several virtual IP
Address, then send a few free ARP request messages.
3. Set the Adver_timer timer to Advertisement_interval (default is 1 seconds)
4. Switch to master State
2.3.2.4
If the backup state of the VRRP router receives a VRRP notification message;
When the VRRP notification message has a priority field of 0 o'clock, the router will use the current
Master_down_timer set to Skew_time;
If the priority level is not 0 and is greater than or equal to the local priority, the local router resets the Master_down_timer timer and keeps