VRRP is a fault-tolerant protocol. It is designed for LANs with multicast or broadcast capabilities (such as Ethernet). It ensures that when the next-hop router of a host in the LAN fails, it can be replaced by another router in time. So as to maintain the continuity and reliability of communication.
In order to make VRRP work, a virtual router number and virtual IP address must be configured on the router, and a virtual MAC address must be generated at the same time, so that a virtual router is added to this network.
The host on the network communicates with the virtual router without knowing any information about the physical router on the network. A virtual router consists of a main router and several backup routers, and the main router implements the real forwarding function. When the main router fails, a backup router will become the new main router and take over its work.
There is only one type of message defined in VRRP—VRRP message, which is a kind of multicast message, encapsulated in IP message, and sent by the master router regularly to announce its existence. These messages can be used to detect virtual routers. Various parameters can also be used for the election of the main router.
VRRP also defines three state models: the initial state Initialize, the active state Master, and the backup state Backup. Only the active state can serve the forwarding request to the virtual IP address.
VRRP protocol is only applicable to IPv4 version routers. For IPv6 version routers, there will be new specifications to specify relevant content.
VRRP packet
VRRP protocol packets are used to advertise the priority and status of the master device to all backup devices in the same backup group. VRRP protocol packets are encapsulated in IP packets. The source address is the primary IP address (not the virtual IP address) of the sending interface, the destination address is 224.0.0.18, the TTL is 255, and the protocol number is 112.
Currently, the VRRP protocol includes two versions: VRRPv2 and VRRPv3. The main differences between the two are:
1. The supported network types are different: VRRPv3 is applicable to both IPv4 and IPv6 networks, while VRRPv2 is only applicable to IPv4 networks.
2. The authentication function is different: VRRPv3 does not support the authentication function but VRRPv2 supports this function.
3. The unit of time interval for sending notification messages is different. VRRPv3 supports centiseconds, while VRRPv2 supports seconds.
How VRRP works
1. The initially created VRRP device works in the Initialize state. After the interface is up, if the priority of the device is less than 255, it will first switch to the Backup state; if the priority of the device is 255 (that is, the virtual IP address is also the physical Interface address), it will switch to the Master state and periodically send VRRP notification messages.
2. For a device switched to Backup, the value of the Master_Down_Interval timer [Master_Down_Interval is: (3 × Advertisement_Interval) + Skew_time, Skew_time = (256-the priority of the Backup device) / 256; Advertisement_Interval is 1 (seconds) )], switch to Master state after timeout.
3. The device that switches to the Master state first sends a VRRP notification message. If a device in the Backup device has a higher priority than the Master device, and the device adopts the preemption method, the Buckup device becomes the Master.
4. If multiple VRRP devices switch to the Master state at the same time, the VRRP device with the highest priority becomes the final master device after negotiation through the interaction of VRRP announcement messages; when the priority is the same, the interface where the VRRP backup group is located on the VRRP device becomes the master. The one with the larger IP address becomes the master device.
5. The new Master device will immediately send the virtual MAC address carrying the virtual router (format:
00-00-5E-00-01-{VRID} (VRRP for IPv4)); 00-00-5E-00-02-{ VRID} (VRRP for IPv6)) and free ARP packet of virtual IP address information, refresh the MAC table entries in the host or device connected to it, thereby directing user traffic to the new Master device.
6. When the original Master device recovers from failure, if the device is the IP address owner (priority 255), it will directly switch to the Master state.
7. Priority 0 and 255 cannot be set manually. Only when the virtual IP and interface IP are the same IP address, the priority of the device will be automatically adjusted to 255. When the Master device wants to exit the VRRP, it will send a VRRP notification message with a priority of 0.
VRRP state transition
The routers that constitute the virtual router will have three states, namely Initialize Master and Backup
The three states are explained below:
Initialize
After the system is started, it enters this state. When it receives an interface startup message, it will switch to Backup (when the priority is not 255) or Master state (when the priority is 255). In this state, the router will not do any processing on VRRP packets.
Master
When the router is in the Master state, it will do the following:
· Send VRRP multicast packets regularly;
· Send gratuitous ARP packets so that each host in the network knows the virtual MAC address corresponding to the virtual IP address;
· Respond to the ARP request for the virtual IP address, and the response is the virtual MAC address, not the real MAC address of the interface;
· Forward IP packets whose destination MAC address is a virtual MAC address;
· If it is the owner of this virtual IP address, it will receive an IP packet whose destination IP address is this virtual IP address; otherwise, it will discard the IP packet. It should be noted that due to this requirement, unless the main router is the IP address owner, the host cannot ping the virtual IP address successfully;
In the Master state, it will switch to Backup only when it receives a VRRP packet with a higher priority than its own, and it will switch to Initialize only when it receives the shutdown event of the interface.
Backup
Only when Backup receives the event that the MASTER_DOWN timer expires, it will turn to Master; and when it receives a VRRP packet with a lower priority than its own, it just discards the packet, which is wrong. The timer is reset. In this way, the timer will turn to Master after several such processing, and will turn to Initialize only when it receives the shutdown event of the interface.
VRRP security
For network environments with different security levels, different authentication methods and authentication keys can be set in the header. Any packet that fails to pass the authentication will be discarded. VRRP defines three authentication methods: no authentication, simple characters Certification (simple clear text passwords) and MD5 certification (MD5)
END
In order to better help you learn and understand network engineers, and other related content, I deliberately organize all the materials systematically, and share them here for free. Necessary materials for network workers, including:
Huawei certification mind map (super fine);
Huawei certification necessary knowledge documents (pdf);
collection of necessary knowledge documents for
network workers ; necessary tool kits for
network workers ; Prepare experiment package;
necessary video interview package for net workers.
……The
information is a bit too much, I won’t list all of them. I will write here first. If you need information or have any questions, you can leave a message or private message to discuss.