VRRP Protocol

VRRP Protocol whitepaper
2002 by Lubomir Nistor
Contents
Contents ...........................................................................................................................2 Introduction ......................................................................................................................3 VRRP Protocol.................................................................................................................4 VRRP Field Descriptions.............................................................................................6 Version .....................................................................................................................6 Type .........................................................................................................................6 Virtual Rtr ID (VRID) ..............................................................................................6 Priority .....................................................................................................................6 IP Address Count .....................................................................................................6 Authentication Type.................................................................................................6 Advertisement Interval.............................................................................................7 Checksum.................................................................................................................7 IP Address(es)..........................................................................................................7 Authentication Data .................................................................................................7 VRRP protocol states ...................................................................................................8 VRRP Implementations ...................................................................................................9 VRRP 2........................................................................................................................9 Standard state ...........................................................................................................9 Failover state ..........................................................................................................10 Monitored Circuit.......................................................................................................11 Standard State ........................................................................................................11 Failover state ..........................................................................................................12 Deployment strategies....................................................................................................13 VRRP on routers ........................................................................................................13 VRRP by firewalls .....................................................................................................17 VRRP on servers ........................................................................................................18 VRRP test procedure..................................................................................................19 Main state...............................................................................................................19 Fail-over state.........................................................................................................19 Return from fail-over state .....................................................................................19 pentests........................................................................... Error! Bookmark not defined. Weak points....................................................................................................................20 Possibilities of improvement..........................................................................................21 Reference:......................................................................................................................22
Introduction
Networks are the most important part of our communication system in every aspect of our lives. Without them we cant communicate to each other; cant get or send new information or cant withdraw our money from a bank subsidiary. Therefore network outages have to be as small as possible. There are networks which an outage will cause collapse of a business or loss of considerable amount of money. Such networks are willing or have to invest into redundancy solutions. There are many ways of minimizing network outages and every alternative has its pros and cons. This document will describe a standardized VRRP protocol that deals with redundant gateways high availability system. When a router is defined as a static default gateway and no other dynamic routing protocol or router discovery protocol is used, the gateway becomes a critical point in the network. If that router fails, that critical link would be broken and the LAN would be disconnected from other networks.
WAN
Router
LAN
Pic.1: standard network It, therefore, may be appropriate to set up other routers as backups that can serve as the static default gateway if necessary. But the problem is how to tell a client to use different gateway. It is possible to do so by adding extra interfaces and routes on the client (which adds to complexity of the network and also slows down network communication at the client. Another possibility is to have a virtual gateway or router that will be independent on any physical device. This Virtual Router acts as a standalone network gateway for all clients on the LAN network. The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in the static default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the network devices on a LAN. The Physical router controlling the IP address(es) associated with a virtual router is called the Master, and forwards packets sent to those IP addresses. When the Master becomes unavailable, a backup physical router takes the place of the Master. VRRP provides a function similar to a Cisco Systems, Inc. proprietary protocol named Hot Standby Router Protocol (HSRP) and to a Digital Equipment Corporation, Inc. proprietary protocol named IP Standby Protocol. 3
VRRP Protocol
VRRP specifies an election protocol to provide the virtual router function described earlier. All protocol messaging is performed using IP multicast datagrams. Each VRRP virtual router has a single wellknown MAC address allocated to it. The virtual router MAC address is used as the source in all periodic VRRP messages sent by the Master router to enable bridge learning in an extended LAN. The virtual router MAC address associated with a virtual router is an IEEE 802 MAC Address in the following format:
00
00
5E
00
01
VRID
00-00-5E-00-01-{VRID} (in hex in internet standard bit-order) The first three octets are derived from the IANA's OUI. The next two octets (00-01) indicate the address block assigned to the VRRP protocol. {VRID} is the VRRP Virtual Router Identifier. This mapping provides for up to 255 VRRP routers on a network. A virtual router is defined by its virtual router identifier (VRID) and a set of IP addresses. A VRRP router may associate a virtual router with its real addresses on an interface, and may also be configured with additional virtual router mappings and priority for virtual routers it is willing to backup. The mapping between VRID and addresses must be coordinated among all VRRP routers on a LAN.
Router 1.1.1.3 Router 1.1.1.4 LAN Router 1.1.1.5
VRID=01 IP 1.1.1.1
VRID=02 IP 1.1.1.2
To minimize network traffic, only the Master for each virtual router sends periodic VRRP Advertisement messages. A Backup router will not attempt to pre-empt the Master unless it has higher priority. This eliminates service disruption unless a more preferred path becomes available. It's also possible to administratively prohibit all preemption attempts. The only exception is that a VRRP router will always become Master of any virtual router associated with addresses it owns. If the Master becomes unavailable then the highest priority Backup will transition to Master after a short delay, providing a controlled transition of the virtual router responsibility with minimal service interruption.
VRRP defines three types of authentication providing simple deployment in insecure environments, added protection against misconfiguration, and strong sender authentication in security conscious environments.
VRRP packets are sent encapsulated in IP packets. They are sent to the IPv4 multicast address assigned to VRRP.
0 Version
4 Type Auth Type
12 Virtual Router ID Advertisement Int
16
20 Priority
24 28 IP Address Count Checksum
IP Address(1) IP Address(n) Authentication Data(1) Authentication Data(n) Picture 1: VRRP packet structure
IP header
Source Address The primary IP address of the interface the packet is being sent from. Destination Address The IP multicast address as assigned by the IANA for VRRP is: 224.0.0.18 TTL Time to Live (default is 255, other values should be discarded) Protocol The IP protocol number assigned by the IANA for VRRP is 112 (decimal).
VRRP Field Descriptions

Version
The version field specifies the VRRP protocol version of this packet.
Type
The type field specifies the type of this VRRP packet. type defined in this version of the protocol is: 1 ADVERTISEMENT The only packet
Virtual Rtr ID (VRID)

The Virtual Router Identifier (VRID) field identifies the virtual router this packet is reporting status for.
Priority
The priority field specifies the sending VRRP router's priority for the virtual router. Higher values equal higher priority. This field is an 8 bit unsigned integer field. The priority value for the VRRP router that owns the IP address(es) associated with the virtual router MUST be 255 (decimal). VRRP routers backing up a virtual router MUST use priority values between 1-254 (decimal). The default priority value for VRRP routers backing up a virtual router is 100 (decimal). The priority value zero (0) has special meaning indicating that the current Master has stopped participating in VRRP. This is used to trigger Backup routers to quickly transition to Master without having to wait for the current Master to timeout.
IP Address Count
The number of IP addresses contained in this VRRP advertisement.
Authentication Type
The authentication type field identifies the authentication method being utilized. Authentication type is unique on a per interface basis. The authentication type field is an 8 bit unsigned integer. A packet with unknown authentication type or that does not match the locally configured authentication method MUST be discarded. The authentication methods currently defined are: 0 - No Authentication 1 - Simple Text Password 2 - IP Authentication Header No Authentication The use of this authentication type means that VRRP protocol exchanges are not authenticated. The contents of the Authentication Data field should be set to zero on transmission and ignored on reception. Simple Text Password The use of this authentication type means that VRRP protocol exchanges are authenticated by a clear text password. The contents of the Authentication Data field should be set to the locally configured password on transmission. There is no default password. The receiver MUST check that the Authentication Data in the packet matches its configured authentication string. Packets that do not match MUST be discarded. Note that there are security implications to using Simple Text password authentication, and one should see the Security Consideration section of this document.
IP Authentication Header The use of this authentication type means the VRRP protocol exchanges are authenticated using the mechanisms defined by the IP Authentication Header [AUTH] using "The Use of HMAC-MD5-96 within ESP and AH" [HMAC]. Keys may be either configured manually or via a key distribution protocol. If a packet is received that does not pass the authentication check due to a missing authentication header or incorrect message digest, then the packet MUST be discarded. The contents of the Authentication Data field should be set to zero on transmission and ignored on reception.
Advertisement Interval
The Advertisement interval indicates the time interval (in seconds) between ADVERTISEMENTS. The default is 1 second. This field is used for troubleshooting misconfigured routers.
Checksum
The checksum field is used to detect data corruption in the VRRP message. The checksum is the 16-bit one's complement of the one's complement sum of the entire VRRP message starting with the version field. For computing the checksum, the checksum field is set to zero.
IP Address(es)
One or more IP addresses that are associated with the virtual router. The number of addresses included is specified in the "Count IP Addrs" field. These fields are used for troubleshooting misconfigured routers.
Authentication Data
The authentication string is currently only utilized for simple text authentication, similar to the simple text authentication found in the Open Shortest Path First routing protocol. It is up to 8 characters of plain text.
VRRP protocol states

There are 3 states defined for a VRRP protocol: 1. Initialize state (where device detects its state according to advertisement packets received) 2. Master state (state where device sends out advertisement packets) 3. Backup state (device listens to advertisements comparing its priority with priority advertised)
Initialize
Backup
Master
Specific definition of states and requirements for implementation of VRRP can be found in RFC 2338[13] part 6.2-6.4.
VRRP Implementations
VRRP 2
This is the most common implementation seen in many network elements. Reasons for such VRRP deployment is not very clear to me, but its weaknesses have to be considered in design of the network (in the case below it is the transfer network thats required). Standard state
Workstation 192.168.1.1 1
User Network 192.168.1.0/24
192.168.1.1
D S
192.168.1.2
A cel a r 1200
Ba y Ne t w o r ks
1 2 3 4 5 6 7 8 9 0 1 1 2 1 3 1 4 1 5 1 6 1
E I N L O N
S D
Ba y Ne t wor k s
1 2 3 4 5 7 6 8 9 0 1 2 1 1 3 1 4 1 6 5
N O IN L E E I N L O N
Ac c el ar 1200
10 / 1 00 T1 6
1 0 B A 6 E 1 S O T P R X D S
0/ 1 1 00 16 T
6 P 1 OR T 0 0 1 B A S E X T
D S
D S
1 2 3 4
5 6 7 8
9 0 1 1 2 1
1 3 1 4 1 5 1 6
0/ 1 1 00 16 T
6 P 1 OR T 0 0 1 B A S E X T
D S
1 2 4 3
E
5 7 6 8
9 0 1 2 1
3 1 4 1 6 5 1
10 / 1 00 T1 6
6 P 1 O R T 1 0 B A S E - T X
D S
N O IN L
Accelar_1 Master
1 2 3 4
5 6 7 8
9 0 1 1 2 1
1 3 1 4 1 5 1 6
0/ 1 1 00 16 T
6 P 1 OR T 0 0 1 B A S E X T
8 0 9 6 F S S D
2 1 3 4
6 5 7 8
0 1 9 1 2 1
4 3 1 5 1 6 1
10 / 1 00 T1 6
6 P 1 O R T 1 0 B A S E - T X
U a z l i t n o i t % 1 2 5 0 5 5 7 1 0 1 a F w o P 2 S r e 2 n S D 3 l p u T M a y e t s r 0 9 6 8 F S S D
D S
M a n
m e e g t n
n i L
k C s n o e l o o d M m ( e T D ) E e R C D D / E E T t e s C U P P M I C A i w S h c t
M a n
e g a
n L e m t 1
k n i 0 C D D / E E T
n o C
e l o s d e o M m ( T D ) E s e R t e
C P
I A C M
c t i w
a z l i t
n o i t
1 o P e w
2 u S r
3 y l p M a e t s r
U P C
5 2
0 5
5 7
0 1 1 2 n a F 8 0 9 6 F S S D e T p O m l n e n i
M a n
e g a
n L e m t
k n i n o C e l o s d e o M m ( T D ) E s e R t e U P C C P I A C M S c t i w h 5 2
a z l i t
n o i t
Transfer network
O I L N E
0 1
p O m e l n e n i
M a n
m e e g t n
n i L
k C s n o e l o o d M m ( e T D ) E e R t e s C U P P M I C A i w S h c t 2
a z l i t
n o i t
0 9 6 8
F S
0 1
C D
D / E
E T
0 5
5 7
0 1
w o P
S r e 2
l p u T
M a y e t s
p O m e l n e n i
a F
C D
D / E
E T
0 5
5 7
0 1
o P 1
e w 2 n a F
u S r
y l p e T
M a e t s
p O m l n e n i
GI G
R R T 1 R T R 1 T 2 T R 2 R
D S
S X
2R F
GI G
R T 1 R T R 1 R T 2 R S X T R 2
D S
F2 R CI G
2 P O R T L I N K A F S E G I G A B T E I - N T E D S X S 2 O R P T L I K S N A F E G I A B I T E N E T D S
P O 2 R T N K S I L A F E G I A B T E I - N E T S D
R T 1 1 3 2 4
E
R T R 1 5 7 6 8 9 0 1 2 1
R T 2
R T R 2 1 3 5 4 1 6 1
CG I F2 R
R T 1 1 2 3 4
R T R 1 5 6 7 8 9 0 1 1 2 1
R T 2
R T 2 R 1 3 1 4 1 5 1 6
X 2 S O R T P N K I L S A F E G I G A B I T E N E T D S
F2 R
10 / 1 00 T16
6 P 1 O R T 1 0 B A S E - T X
Accelar_2 Backup
E L N I N O
E L N I O N E I N L O N
O E I N L N
E L N I O N N O IN L
0/ 1 1 00 16 T
6 P 1 OR T 0 0 1 B A S E X T
192.168.0.1
Server 192.168.0.1 1
E L N I O N
192.168.0.2
Server network 192.168.0.0/24
Failover state
Workstation 192.168.1.11
Backup
192.168.1.2
S D
192.168.1.1 192.168.1.3
D S
Master
Ba y Ne t wo r ks
2 4 3
E
a y Ne t B wo r k s
2 1 3 4 6 7 8 1 0 9 1 1 1 2 1 4 3 1 5 1 6
O N L E IN IN E N L O O N L E IN
Ac c e l ar 1 200
10 / 1 00 16 T
1 0 B 6 S 1 A O P E R X T
D S
Ac ce l a r120
6 8 7 1 0 1 2 1 1 4 1 6 5
1
0 / 1 1 0 T1 6
1 P O 6 R T B A 0 S E T X S D
N L N I
5 7 6 8
9 1 1 0 1 2
1 3 1 5 4 1 6
1
1 2 4 3
5 7 6 8
9 1 1 0 1 2
1 3 1 5 4 1 6
3 2 4
E
10 / 1 00 16 T
6 P 1 O R T 1 0 B A S E X T
0 / 1 1 0 T1 6
1 A B 0 P E 6 S R X O T T
L I N N
2 1 3 4
6 5 7 8
1 0 9 1 1 1 2
1 4 3 1 5 1 6
D S
10 / 1 00 16 T
6 P 1 O R T 1 0 B A 9 S 6 8 E F S 0 X T S
D h l i t U t a z i % n o 1 o P 2 r e w p u S 3 M y l t s a r e
Router_1
IN E N L O
N O L E IN
a M
g a n
m e
L t n 1
k n i 0 D / E C E T D
s n o
e l o d o M m e E T D ( ) R s e t
M C
A I C
c t i w
P C
5 2
0 5
5 7
0 1 1 F 2 n a 2 3 9 6 8 F S 0 m e T n O p e n i l
Transfer network
1 2 3 4
5 6 7 8
9 0 1 1 1 1 2
1 4 3 1 5 1 6
0/ 1 10 T1 6
1 6 P O R T 1 0 B A S E T X U 5 2 a z l i t 0 5 n o i t 7 % 5 0 1 1 w o P 1 F 2 S r e 2 n a 3 l p u T a M y p m e r e t s i l n O e
E L IN N O
M M
n a
m e g
t n e L 1
k n i 0 D D / E C E T
o C
e l o s n
d o M
D ( m e
) E T s e R t e
C P
I C M
h c t i w
U P C
n a
m e g
t n e L 1
k n i 0 D D / E C E T o C e l o s n d o M D ( m e ) E T s e R t e C P I C M A S h c t i w U P C
a z l i t
n o i t
1 w o P
2 S r e
3 l p u
8 a M y
S 0 9 6 r e t s
D S
a M
g a n
m e
t n L
k n i C s n o e l o d o M m e E T D ( ) R D / E C E T D s e t P C U P M C A I C S c t i w h 5 2
l i t U
t a z i
% n o
5 2
0 5
0 1 1 2 n a T p m e i l n O e
0 5
5 7
0 1
o P 1 F
r e w 2 n a
p u S
M y l m e T
t s a n O p
r e e n i l
GI G
R T 1 R T R 1 R T 2 R T R 2
S X F
2R
D S
N K I L S A E G F I G B I A T 2 E N O E P T R
Router_2
O E I N L N
R T 1
R T R 1
R T 2
R T 2 R
S X
GI G F2 R
P O 2 R T
L N O N I E
X S
CI S D G F2 R
P 2 R O E N T T E T I
N K I L S A F E G I A B G T E I - N E T
R T 1
R T R 1
R T 2
R T R 2
N I L A S K E F I G B A
CI D S G
R T 1 R T R 1 R T 2 R T 2 R
S X 2 O R P T N K I L S A E G F I G A B T E I N E T
2R F
D S
2 4 3
E
6 8 7
1 0 1 2 1
1 4 1 6 5
1
0 / 1 1 0 T1 6
1 P O 6 R T B A 0 S E T X -
N L N I
1 2 3 4
5 6 8 7
9 1 0 1 1 1 2
1 3 1 4 1 5 1 6
10 / 1 00
6 P 1 O R T 1 0 B A S E X T
Master
192.168.0.2 192.168.0.1
Server 192.168.0.11
The major disadvantage of standard VRRP failover system is that it was designed for one side only. For router environment it requires an extra transfer network between routers to ensure that after failover the traffic will still reach its destination.
IN E N L O
16 T
192.168.0.3
Backup
10
Monitored Circuit
This system is a more advanced VRRP, that not only monitors one network interface but also defined network flow. This way an outage of one user network interface on master router causes the network flow to be switched to backup router (also on server network interface master router switches to backup router). Standard VRRP system will keep user network gateway on backup router while on server network master router will remain the gateway and the traffic will flow only if there is a third interface directing traffic from master router to backup router and back. Standard State
User Network 192.168.1.0/24 192.168.1.1 192.168.1.2

Ba y Ne t wo r k s
2 3 4 6 7 8 1 0 1 1 1 2 1 4 1 5 1 6
O E I N L N O I L N
S D
192.168.1.3
Ac c el ar 1200
0/ 1 100 T16
1 6 P O R T 0 0 1 B A S E T X -
a y Ne t B wo r ks
2 4 3 7 6 8 1 0 1 2 1 4 1 6 5 1
N O E N I L
Ac cel ar1 200

10 / 1 00 16 T
6 P 1 O R T 1 0 B A S - T E X
D S
Router_1 Master
1 2 3 4
5 6 7 8
9 1 0 1 1 1 2
1 3 1 4 1 5 1 6
0/ 1 100
1 6 P O R T 0 0 1 B A S E T X D S
D S
1 3 2 4
5 7 6 8
9 1 1 0 1 2
3 1 5 4 1 6 1
10 / 1 00 16 T
1 0 B 6 S 1 A O T P E R X
N O E N I L
T16
1 2 3 4
g n a m e t n L k n i C 1 0 D D / E C E T s n o e l M m e d o T D ( ) E s e R t P M C A I w S C h c t i U P 2 5 0 5 7 5 0 1 o P 1 r e w 2 n a F
1 2 4 3
E
n a a M e g n L e m t i 0 1 k n n o C 0 D / E C E T D e l o s
5 6 8 7
9 1 0 1 2 1
1 3 1 4 1 6 5
0/ 1 100 T16
1 6 P O R T 0 0 1 B A S E T X i t U t a z i l 0 5 % n o i 1 5 2 7 5 0 1 0 P 1 n a F e w o 2 u S r 2 2 e w o u S r 2 n a F 3 y l p e T 3 y l p e T a s M r e t p O m i l n e n 8 S 0 9 6 F 8 S 0 9 6 F D S
5 6 8 7
9 1 0 1 2 1
3 1 4 1 6 5 1
10 / 1 00 16 T
6 P 1 O R T 1 0 A B S - T E X
U a z l i t % n o i t 1 2 3 0 9 6 8 F S D S
D S
p u S
M y l p m e T
e t s a n O
r e n i l
M o e d
D T ( m ) E R s e t
C P
I A C M
c t i w P C
h U
g n a
m e
t n L 1
k n i 0 D D / E C E T C s n o e l M m e d o T D ( ) E s e R t P M C A I w S C h c t i U P 2
a z l i t
% n o i t
1 o P
2 r e w p u S
3 M y l e t s a r
n a a M e g
n L e m t i 0 1
k n n o C 0 D / E C E T D e l o s M o e d D T ( m ) E R s e t P C U C P I A C M S c t i w h 5 2
i t U
t a z i l 0 5
% n o i 7 5 0 1 0
1 P 1
0 5
0 1 1 2 n a F p m e T n O e n i l
a s M r e t p O m i l n e n
GI D S G
S X
GI G
R T 1 R T 1 R R T 2 R T 2 R
R T 1
R T 1 R
R T 2
R T R 2
2R F
P O 2 T R I N L S A K F E G I A B G T I E N T E
S X F2
2 P O R T L I K S N A F E G I A B I T E N E T D S
X S - P 2 O R T N K I L S A F E G I G A B T I E N E T
R T 1
R T 1 R
R T 2
R T 2 R
CI G F2R
N O E N I L
R T 1
R T R 1
R T 2
R T R 2
S N K I L S E F A
I G C F2R
O P N R E T E
I G G A 2 T I B
1 3 2 4
5 7 6 8
9 1 1 0 1 2
3 1 5 4 1 6 1
D S
10 / 1 00 16 T
1 0 B 6 S 1 A O T P E R X
Router_2 Backup
E N L IN O O E L N N I
IN E O N L
N O IN L E E L IN O N
O N N I L E
1 2 3 4
5 6 8 7
9 1 0 1 2 1
1 3 1 4 1 6 5
0/ 1 100 T16
1 6 P O R T 0 0 1 B A S E T X -
D S
192.168.0.2 192.168.0.1
Server 192.168.0.11
N L IN O E
192.168.0.3
11
Failover state
User Network 192.168.1.0/24 192.168.1.1 192.168.1.2

Ba y Ne t wo r k s
2 3 4 6 7 8 1 0 1 1 1 2 1 4 1 5 1 6
O E I N L N O I L N
S D
192.168.1.3
Ac c el ar 1200
0/ 1 100 T16
1 6 P O R T 0 0 1 B A S E T X -
a y Ne t B wo r ks
2 4 3 6 7 8 1 0 1 2 1 1 4 6 5 1
N O E N I L
Ac cel ar1 200

10 / 0 10 16 T
6 P 1 O R T 1 0 B A S - T E X
D S
Router_1 Backup
1 2 3 4
5 6 7 8
9 1 0 1 1 1 2
1 3 1 4 1 5 1 6
0/ 1 100
1 6 P O R T 0 0 1 B A S E T X D S
D S
1 3 2 4
5 7 6 8
9 1 1 0 1 2
3 1 5 4 1 6 1
10 / 1 00 16 T
1 0 B 6 S 1 A O T P E R X
N O E N I L
T16
1 2 3 4
g n a m e t n L k n i C 1 0 D D / E C E T s n o e l M m e d o T D ( ) E s e R t P M C A I w S C h c t i U P 2 5 0 5 7 5 0 1 o P 1 r e w 2 n a F
1 2 4 3
E
n a a M e g n L e m t i 0 1 k n n o C 0 D / E C E T D e l o s
5 6 8 7
9 1 0 1 2 1
1 3 1 4 1 6 5
0/ 1 100 T16
1 6 P O R T 0 0 1 B A S E T X i t U t a z i l 0 5 % n o i 1 5 2 7 5 0 1 0 P 1 n a F e w o 2 u S r 2 2 e w o u S r 2 n a F 3 y l p e T 3 y l p e T a s M r e t p O m i l n e n 8 S 0 9 6 F 8 S 0 9 6 F D S
5 6 8 7
9 1 0 1 2 1
3 1 4 1 6 5 1
10 / 1 00 16 T
6 P 1 O R T 1 0 A B S - T E X
U a z l i t % n o i t 1 2 3 0 9 6 8 F S D S
D S
p u S
M y l p m e T
e t s a n O
r e n i l
M o e d
D T ( m ) E R s e t
C P
I A C M
c t i w P C
h U
g n a
m e
t n L 1
k n i 0 D D / E C E T C s n o e l M m e d o T D ( ) E s e R t P M C A I w S C h c t i U P 2
a z l i t
% n o i t
1 o P
2 r e w p u S
3 M y l e t s a r
n a a M e g
n L e m t i 0 1
k n n o C 0 D / E C E T D e l o s M o e d D T ( m ) E R s e t P C U C P I A C M S c t i w h 5 2
i t U
t a z i l 0 5
% n o i 7 5 0 1 0
1 P 1
0 5
0 1 1 2 n a F p m e T n O e n i l
a s M r e t p O m i l n e n
GI D S G
S X
GI G
R T 1 R T 1 R R T 2 R T 2 R
R T 1
R T 1 R
R T 2
R T R 2
2R F
P O 2 T R I N L S A K F E G I A B G T I E N T E
S X F2
2 O P R T L I K S N A F E G I A B T I E N T E D S
X S - P 2 O R T N K I L S A F E G I G A B T I E N E T
R T 1
R T 1 R
R T 2
R T 2 R
CI G F2R
N O E N I L
R T 1
R T R 1
R T 2
R T R 2
S N K I L S E F A
I G C F2R
O P N R E T E
I G G A 2 T I B
1 3 2 4
5 7 6 8
9 1 1 0 1 2
3 1 5 4 1 6 1
D S
10 / 1 00 16 T
1 0 B 6 S 1 A O T P E R X
Router_2 Master
E N L IN O O E L N N I
IN E O N L
N O IN L E E L IN O N
O N N I L E
1 2 3 4
5 6 8 7
9 1 0 1 2 1
1 3 1 4 1 6 5
0/ 1 100 T16
1 6 P O R T 0 0 1 B A S E T X -
D S
192.168.0.2 192.168.0.1
Server 192.168.0.11
Here it is clear what advantages Monitored Circuit approach offers. Saving one interface on each router and extra utilization on each router is a clear PRO for this type of deployment. Unfortunately not all vendors use this VRRP approach (to my knowledge it is only NOKIA).
N L IN O E
192.168.0.3
12
Deployment strategies
Implementation of VRRP system is not as easy as protocol looks like, as implementation has to be carefully planned and deployed. A simple error in the procedure may cause various problems that may show up much later after the implementation. Also all the steps during deployment should be carefully considered and executed, as priority exchange and failover is not always operational from the beginning and with some systems it may remain stuck in backup mode even if the priority is higher.
VRRP on routers
Router or gateway high availability is a necessity in important network areas where loss of connectivity is directly connected to loss of profit or business. VRRP system was primarily developed for router environment where routers are interconnecting several networks and each other. It is preferably used at network end-points, as intermediary systems prefer to use more flexible solution: dynamic routing.
192.168.1.1
Ba y Ne t wo r k s 1 2 4 3 5 7 6 8 9 11 0 12 3 1 5 4 1 6 1 SD A cc el ar 1200 0/ 1 T 16 00 1 BA S D S 10 0 16 OR P T - T E X D S 0/ 1 T 16 00 1 BA S 0/ 1 T 16 00 1 BA S 86 0 9 1 23 0 0 Po 1 er w up S y Ma l e t s 1 an M em g a en t Li k n 10 CE D TE D / Co s o n e l od M m( e DT ) E Re s t PC MI A wi S h c t CP U 1 2T em pO l n an F e n i D S GI G 2R F OR T P - N E T E D S I G 2R OR P T NE E T D S 0/ 1 T 16 00 1 BA S 00 1 16 OR P T - T E X
N L IN O N E N L I O N E N L I O
192.168.1.2
D S B a y Ne t wo r ks Ac e 2 1 3 4 2 1 3 4 1 2 4 3
E E
a r 1 2 l 0 0 D S 10 / 0 10 16 T 0B 6S 1 A OP E R X T D S 10 / 1 00
6 5 7 8 6 5 7 8 5 7 6 8
10 9 11 12 10 9 11 12 9 11 0 12
4 3 1 5 1 6 1 1 4 3 1 5 1 6 1 1 3 1 5 4 1 6 1 1 i l t U t o a z i % n 12 ow P r S e p u 12 n a F 12 ow P r S e p u 12 n a F
O L IN N O E
1 2 4 3
5 7 6 8
9 11 0 12
3 1 5 4 1 6 1
L N
Accelar_1 Master
00 1 16 OR P T - T E X D S 00 1 16 OR P T ET X FSD S r e n i FSD S r
16 T 0B 6S 1 A OP E R X T D S 10 / 0 10 16 T 6P 1 OR T 0B AS EX T 38 90 6 FSD S Ma y l t e s r mp e T nl O e n i 38 90 6 FSD S Ma y l t e s r mp e T nl O e n i D S GI G SXF2 R PO 2 RT AB G I TE I - N ET I G C D S SXF 2R 2OR P T AB G TE I NE T S D 10 / 1 00 16 T 0B 6S 1 A OP E R X T
IN N L IN O
1 2 4 3 an M em g a en t Li k n 10 CE D TE D /
5 7 6 8
9 11 0 12
3 1 5 4 1 6 1
Ma ng me e t L n k n i on C e l o s 0 1 CE D TE D / o M m( e d TE D ) s e e R t PU C Ma ng me e t L n k n i on C e l o s 0 1 CE D TE D / o M m( e d TE D ) s e e R t PU C MC C P A I t c i w S h 5 2 MC C P A I t c i w S h 5 2
0751 5 0
Co s o n e l
od M m( e DT ) E Re s t
PC MI A
wi S h c t CP U
l z i t U on i t a % 5507 2 5
2T ep mO l n an F 86 0 9
i l t U t o a z i % n 0751 5 0
l z i t U on i t a % 5507 2 5
1 23 0 0 Po 1 er w up S y Ma l e t s
R T 1
R T 1R
R T 2
R T 2R NK I L SA FE G
R T 1 R T 1 1 2 4 3 R T
R T 1R
R T 2 R T R 1 2 9 11 0 12 R T
R T 2R
SX 2 I N L KS AF EG I A BI T C XF S 2 I K L N SA FE GI GA BI T
R T 1 1 2 3 4
R T R 1 5 6 7 8 10 9 11 12
R T 2
R T 2R 4 1 3 5 1 6 1 1 NK I L SA EG F I
R 2 3 1 5 4 1 6 1
Accelar_2 Backup
192.168.0.1
Server 192.168.0.11
VRRP used by routers is usually a standard V2 version that doesnt support fail-over of other interfaces. In this example Ill use Nortel Accelar routers to show how to configure VRRP on a router:
To set up VRRP parameters: On a port, choose Edit > Port > VRRP. On a VLAN, choose VLAN > VLANs > Basic > IP > VRRP. The Port VRRP window (below) and the VLAN VRRP window have the same fields described below:
N E N L I O N E N L I O E IN N L O N E N L I O
E I N E L N O O L IN N E
5 7 6 8
192.168.0.2
13
VrID :ID of the router IPAddr : IP address for the physical device or port Priority : priority of this router (higher is master) AdvertisementInterval : interval of sending advertisement packets CriticalAddr: IP address for the virtual router
To view all configured VRIDs for the switch, use the edit VRRP window. VRIDs cannot be added or deleted from this window. From the main menu click on Routing > IP > VRRP. The window shown below opens
Configuration through CLI can also be used to reach t he same result (without SNMP). config ethernet [port] ip vrrp [VRID] followed by: Displays the current port VRRP configuration info Sets the IP address of the virtual router interface. address <ipaddr> Sets the advertising interval (in seconds), the time interval between sending adver-int <seconds> critical-ip
<ipaddr>
delete disable enable priority
advertisement messages. The value must be the same on all participating routers. The range is 1 to 255, and the default is 1. Sets the critical IP address for VRRP. This address is an IP interface on the local router configured so that a change in its state causes a role switch in the virtual router (for example, from master to backup in case the interface went down). Deletes the VRRP from the port. Disables the VRRP on the port. Enables VRRP on the port. Sets the port VRRP priority (1 to 254) value to be used by this VRRP router. The default is 100. The value 255 is assigned to the router that owns the IP
<prio>
14
address associated with the virtual router.
Example:
Accelar-1200#config ethernet 3/3 ip/vrrp 2 info Port 3/3 : address : 192.168.1.1 adver-int : 1 critical-ip : 0.0.0.0 delete : N/A vrrp : enable priority : 255
In order to see the configuration :

Accelar-1200#show ports info vrrp main ================================================================== Port Vrrp ================================================================== PORT_NUM VRRP_ID IP_ADDRESS VIRTUAL_MAC_ADDR -----------------------------------------------------------------3/3 2 191.168.1.1 00:00:5e:00:01:02 Accelar-1200# show ports info vrrp extended =============================================================================== Port Vrrp Extended =============================================================================== PORT STATE CONTROL PRIORITY MASTER_IPADDR ADVERTISE CRITICAL_IPADDR ------------------------------------------------------------------------------3/3 master enabled 255 192.168.1.1 1 0.0.0.0
config vlan [vlanid] ip vrrp [vrid] followed by: Displays the current VLAN VRRP configuration info Sets the IP address of the virtual router interface. address <ipaddr> Sets the advertising interval (in seconds), the time interval between sending adver-int <seconds> critical-ip
<ipaddr>
delete disable enable priority
advertisement messages. The value must be the same on all participating routers. The range is 1 to 255, and the default is 1. Sets the critical IP address for VRRP. This address is an IP interface on the local router configured so that a change in its state causes a role switch in the virtual router (for example, from master to backup in case the interface went down). Deletes the VRRP from the VLAN. Disables the VRRP on the VLAN. Enables VRRP on the VLAN. Sets the VLAN VRRP priority (1 to 254) value to be used by this VRRP router. The default is 100. The value 255 is assigned to the router that owns the IP address associated with the virtual router.
<prio>
Example:
Accelar-1200# config vlan 2 ip vrrp 1 info address : 192.168.1.1 adver-int : 1 critical-ip : 0.0.0.0 delete : N/A vrrp enable : enable priority : 255 set : N/A delete : N/A Accelar-1200# show vlan info vrrp main
15
================================================================== Vlan Vrrp ================================================================== VLAN VRRP VIRTUAL ID ID IPADDR MAC ADDR -----------------------------------------------------------------2 1 192.168.1.1 00:00:5e:00:01:01 Accelar-1200# show vlan info vrrp extended =============================================================================== Vlan Vrrp Extended =============================================================================== MASTER ADVERTISE CRITICAL VID STATE CONTROL PRIORITY IPADDR INTERVAL IPADDR ------------------------------------------------------------------------------2 master enabled 255 192.168.1.1 1 0.0.0.0
In order to debug VRRP configuration there are some special commands:

Accelar-1200# show ip vrrp info =============================================================================== Vrrp Info =============================================================================== VRID IP MAC STATE CONTROL PRIO ------------------------------------------------------------------------------2 192.168.1.1 00:00:5e:00:01:02 Master Enabled 255 1 192.168.0.1 00:00:5e:00:01:01 Master Enabled 255 VRID MASTER ADV UP CRITICAL ------------------------------------------------------------------------------2 192.168.1.1 1 0 day(s), 00:10:39 0.0.0.0 1 192.168.0.1 1 0 day(s), 00:11:08 0.0.0.0 Accelar-1200# show ip vrrp stats 1 100.100.100.1 =============================================================================== Vrrp Stats =============================================================================== BECOME_MASTER ADVERITSE_RECEIVED CHECK_SUM_ERROR VERSION_ERROR ------------------------------------------------------------------------------0 0 0 0 VRID_ERROR ADVERTISE_INT_ERROR TTL_ERROR PRIO_0_RECEIVED ------------------------------------------------------------------------------0 0 0 0 PRIO_0_SENT INVALID_TYPE_ERROR ADDRESS_LIST_ERROR UNKNOWN_AUTHTYPE ------------------------------------------------------------------------------0 0 0 0
16
VRRP by firewalls
Firewall high availability is not as easy as router HA as there are other aspects requiring attention. If firewall is bound to an interface IP address its not possible to use standard VRRP system without some modifications. Network address translation especially dynamic one is also not easy to implement. Monitored circuit system may allow us to forward packets from VRIP to our standard IP address and implementations of such firewalls is made possible. Checkpoint FW1 is not bound to interface IP address and can operate on both VRRP systems, as in case of interface change system modifies itself as well as its filters. There is also another problem in case of fail-over: statefull packet filtering. Firewalls keep their IP flow states and if one firewall fails there is no possibility to recover connections in progress and workstation needs to reconnect TCP sessions to the server. Synchronization of packet state table can remove such problems, but preferably on extra interface without too much load on it.
User Network 10.168.1.0/24 10.168.1.1 10.168.1.2

S D
10.168.1.3
D S
Firewall1 Master
C K E H P O N I T
C K E H P O N I T
R E S E T O N C S O L E
E S R E T
synchronisation
C O N S O L E
Firewall2 Backup
192.168.0.2 192.168.0.1
192.168.0.3
Server 192.168.0.11
17
VRRP on servers
High availability of important servers or applications is another possible place for VRRP to be used. There are already various system enhancements that allow VRRP to be used by operation systems [7]. One of such is VRRPd that can be downloaded at http://w3.arobas.net/~jetienne/vrrpd/index.html Or a bit newer modification on http://www.linuxvirtualserver.org/~acassen/ Implementation is done by installing a daemon that handles VRRP packets. These daemons are just ensuring high availability of the system and are not doing any load balancing or application synchronization. If there is a need to do load balancing there are other tools to do so as well (fx. Stonebeat [16], Radware [17], F5 Networks [18] or others). Load balancing can be also done by the application, but this is considered to be more an exception as applications are not designed for multihomed operations. To utilize a fully redundant solution there needs to be a synchronization between servers or applications. Such synchronization causes a lot of network traffic and should be done on a special interface separated from other network traffic. When synchronizing application content to many servers multicasting may be more efficient saving network performance. There is no specific solution or protocol to do that as requirements from application or server point is too general.
Office Network 192.168.0.0/24
192.168.0.10
Server1 192.168.0.11 Master
Server2 192.168.0.12 Backup1
Server3 192.168.0.13 Backup2
18
VRRP test procedure

To fulfill HA requirements there needs to be a test procedure in place that ensures the system is deployed correctly. If the system works fine after deployment it doesnt mean that it will work fine after an hour or during fail-over or after fail-over state. Main part of the test procedure is the simulation of those states. To test the system we need a sniffer in place that may show us what is actually going on at every router interface. This may be accomplished by an expensive network tester (fx. NAI sniffer) or by a cheaper PC+unix+tcpdump alternative. Some routers already have such a tool built in (fx. Nokia). Main state System is fully functional and master is operational 1. ping the primary IP address (should be responding from the primary router) 2. packet flow should be going through primary router Fail-over state Master router is not working and backup router should take over the functionality 1. remove the connection on the primary router that is carrying the primary IP address 2. ping the primary IP address (should be responding within 3 seconds) 3. check the interface status on the backup router (backup router should contain 2 IP addresses and packets are flowing through it) Return from fail-over state Backup router is working and master router has recovered from failure. 1. Plug back the cable removed from the previous step 2. ping the primary IP address (should be responding within 3 seconds) 3. check the interface status on the backup router (the primary IP address should be gone) and on the primary router (packets should be using this interface)
19
Weak points
There is no protocol or implementation of it bulletproof, so that there is no undefined state that system may get into. Even VRRP protocol has minor issues that need to be addressed by protocol designers or implementators. 1. 2. 3. 4. Fail-over problem on network layer (only one interface down) Fail-over problem on application layer (application hanging) Weak protocol authentication (VRIP takeover/DoS) SNMP management security (section 4 of RFC 2787 [14])
Point 1. Point 2. Point 3. Weak protocol authentication (VRIP takeover/DoS) Point 4.
20
Possibilities of improvement
21
Reference:
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. vrrp_nokia http://www.nokia.com.br/nic/pdf/vrrp.pdf vrrp___ http://www.alliedtelesyn.co.nz/documentation/arrouter/231/pdf/vrrp.pdf vrrp__ http://www.cisco.com/warp/public/471/vrrp.pdf http://www.futsoft.com/pdf/VRRPfs001.pdf http://lwn.net/2001/features/OLS/pdf/pdf/vrrpd.pdf vrrp_ http://www.alliedtelesyn.co.nz/support/ar800/ar800-221/vrrp.pdf http://keepalived.sourceforge.net/pdf/LVS-HA-using-VRRPv2.pdf http://www.nortelnetworks.com/solutions/lan/collateral/ppvrrp.pdf vrrp http://support.efficient.com/docs/pdf/vrrp.pdf vrrp_pres http://csgrad.cs.vt.edu/~jxzhao/ECPE6504/presentations/VRRP.PDF vrrpd homepage http://w3.aroba s.net/~jetienne/vrrpd/ http://www.protocolsource.com/download/future_vrrp.PDF http://www.ittc.ku.edu/~subhas hiv/845/vrrp/presentation.ppt RFC 2338, Virtual Router Redundancy Protocol RFC 2787, Definitions of Managed Objects for the Virtual Router Redundancy Protocol 16. http://www.stonesoft.com/produc ts/ServerCluster/ 17. http://www.radware.com/content/products/index.asp 18. http://www.f5.com/f5products/ 19.
22

VRRP Protocol

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

VRRP Protocol

Hochgeladen von

Copyright:

Verfügbare Formate

VRRP Protocol whitepaper

2002 by Lubomir Nistor

4 Type Auth Type

12 Virtual Router ID Advertisement Int

24 28 IP Address Count Checksum

VRRP Field Descriptions

Virtual Rtr ID (VRID)

VRRP protocol states

User Network 192.168.1.0/24

Server network 192.168.0.0/24

User Network 192.168.1.0/24

Server network 192.168.0.0/24

User Network 192.168.1.0/24 192.168.1.1 192.168.1.2

Ac cel ar1 200

Server network 192.168.0.0/24

User Network 192.168.1.0/24 192.168.1.1 192.168.1.2

Ac cel ar1 200

Server network 192.168.0.0/24

User Network 192.168.1.0/24

16 T 0B 6S 1 A OP E R X T D S 10 / 0 10 16 T 6P 1 OR T 0B AS EX T 38 90 6 FSD S Ma y l t e s r mp e T nl O e n i 38 90 6 FSD S Ma y l t e s r mp e T nl O e n i D S GI G SXF2 R PO 2 RT AB G I TE I - N ET I G C D S SXF 2R 2OR P T AB G TE I NE T S D 10 / 1 00 16 T 0B 6S 1 A OP E R X T

Server network 192.168.0.0/24

delete disable enable priority

address associated with the virtual router.

In order to see the configuration :

delete disable enable priority

In order to debug VRRP configuration there are some special commands:

User Network 10.168.1.0/24 10.168.1.1 10.168.1.2

Server network 192.168.0.0/24

Office Network 192.168.0.0/24

Server1 192.168.0.11 Master

Server2 192.168.0.12 Backup1

Server3 192.168.0.13 Backup2

VRRP test procedure

Point 1. Point 2. Point 3. Weak protocol authentication (VRIP takeover/DoS) Point 4.

Das könnte Ihnen auch gefallen