Three points to master VRRP Protocol

VRRP plays an important role in vrouters. Especially in virtual routing, it has made outstanding contributions. The specific content will be explained in the following document. First, let's take a look at the basic concepts of VRRP.

I. Protocol Overview

In a TCP/IP-based network, a route must be specified to ensure communication between devices that are not directly physically connected. Currently, there are two commonly used routing methods: one is dynamic learning through routing protocols (such as internal routing protocols RIP and OSPF), and the other is static configuration. It is unrealistic to run dynamic routing protocols on every terminal, most client operating system platforms do not support dynamic routing protocols, and even the support is restricted by many problems such as management overhead, convergence, and security. Therefore, Static Routing configurations for terminal IP devices are generally used, generally, one or more Default gateways are specified for the terminal device. The static routing method simplifies network management and reduces the communication overhead of the terminal device, however, it still has a disadvantage: If the router used as the default gateway is damaged, all communications using this gateway for the next hop host will inevitably be interrupted. Even if multiple default gateways are configured, if you do not restart the terminal device, you cannot switch to the new gateway. Using the Virtual Router Redundancy Protocol (VRRP) can effectively avoid the defects of the static gateway ｡

There are two important concepts in VRRP: VRRP router and vro, Master router and backup router. VRRP router refers to the vro running VRRP and is a physical entity, A vro is a logical concept created by the VRRP Protocol. A group of VRRP routers work collaboratively, A vro is a logical router with a unique fixed IP address and a MAC address. A vro in the same VRRP group has two mutually exclusive roles: master router and backup router. One VRRP group has only one vro in the master role, there can be one or more vrouters in the backup role. VRRP uses the selection policy to select one from the vro group as the master, which is responsible for ARP and forwarding IP packets, other routers in the group are on standby as backup roles. When the master router fails for some reason, the backup router can be upgraded to the primary router after several seconds of delay. As this switchover is fast and does not require changing the IP address and MAC address, it is transparent to the end user system ｡

Ii. Working Principle

A vrrp router has a unique identifier: VRID, ranging from 0 to 25 5. the router acts as a unique virtual MAC address, the address format is 00-00-5E-00-01-[VRID]. The master router is responsible for responding to ARP requests using this MAC address, ensure that the unique IP address and MAC address are consistent for the terminal device, reducing the impact of switching on the terminal device ｡

There is only one VRRP control packet: VRRP announcement (advertisement). It uses IP multicast packets for encapsulation and the Group address is 224.0.0.18, the release scope is limited to the same LAN. This ensures that VRID can be reused in different networks. To reduce network bandwidth consumption, only the master router can periodically send VRRP notification packets. A new round of VRRP election is started after three consecutive notification intervals fail to receive VRRP or receive a notice with priority 0 ｡

In a VRRP router group, the master router is selected based on the priority. The priority range of the VRRP protocol is 0-255. If the IP address of the VRRP router is the same as the interface IP address of the vro, the virtual router is the IP address owner in the VRRP group. The IP address owner automatically has the highest priority: 255. Priority 0 is generally used when the IP address owner voluntarily waives the master role. The priority range can be 1-. The priority configuration principle can be based on the link speed and cost, router performance and reliability. and other management policy settings, A high-priority vro wins. Therefore, if there is an IP address owner in the VRRP group, it will always act as the role of the master route. For candidate vrouters with the same priority, VRRP also provides a priority Preemption Policy. if this policy is configured, A high-priority backup router will deprive the current low-priority master router and become a new master router ｡

To ensure the security of VRRP, two security authentication measures are provided: plaintext authentication and IP Address Header authentication. plaintext authentication method requirements: When you join a VRRP router group, the same VRID and plaintext password must be provided at the same time. It is suitable for avoiding configuration errors in the LAN, but cannot prevent obtaining the password through network listening. IP header authentication provides higher security, prevents packet replay, modification, and other attacks ｡

3. Application Instances

The most typical VRRP application: RTA and RTB constitute a VRRP router group. If the processing capability of RTB is higher than that of RTA, RTB is configured as the IP address owner, the default gateway of H1, H2, and H3 is set to RTB. Then, RTB becomes the master router and is responsible for forwarding ICMP redirection, ARP response, and IP packets. Once RTB fails, RTA immediately starts switching, become the master, thus ensuring transparent security switching to the customer ｡

In VRRP applications, when RTA is online, RTB is used as a backup and does not participate in forwarding. The routers RTA and link L1 are idle. Through reasonable network design, both backup and load balancing can be achieved. Make RTA and RTB belong to two VRRP groups that are mutually backed up: In group 1, RTA is the IP address owner; in group 2, RTB is the IP address owner. Set the default gateway of H1 to RTA, and the default gateway of H2 and H3 to RTB, it also improves network reliability ｡

The working mechanism of VRRP Protocol has many similarities with CISCO's HSRP (Hot Standby Routing Protocol). But the main difference between VRRP Protocol and CISCO's HSRP is that, you must configure an IP address as the external address of the vro. This address cannot be the interface address of any member in the group ｡

Using VRRP protocol, you do not need to modify the current network structure to maximize the protection of current investment. The minimum management cost is required, but the network performance is greatly improved and has great application value ｡