from:http://bbs.nanjimao.com/thread-790-1-1.html
Reference: RFC 3768
1. Preface
VRRP (Virtual Router Redundancy Protocol) protocol is a protocol for implementing router redundancy. The latest protocol is defined in RFC3768. The original definition RFC2338 is abolished, and the new protocol relatively simplifies some functions.
2. Protocol description
2.1 Protocol
VRRP protocol is a protocol in active/standby mode designed to eliminate the network failure caused by the single point of failure of the default router in the static default routing environment, so that the device function can be switched in the event of a failure. Affecting internal and external data communication, there is no need to modify the network parameters of the internal network. The VRRP protocol needs to have the functions of IP address backup, preferential routing, and reducing unnecessary communication between routers.
The VRRP protocol virtualizes two or more router devices into one device, and provides virtual router IP (one or more) to the outside world. Inside the router group, if the router that actually has this external IP is working normally, it is the MASTER, or Through algorithm election, MASTER implements various network functions for virtual router IP, such as ARP request, ICMP, and data forwarding; other devices do not own the IP, and the status is BACKUP. Except for receiving MASTER's VRRP status notification information, No external network functions are performed. When the host fails, BACKUP will take over the network function of the original MASTER.
When configuring the VRRP protocol, you need to configure the virtual router ID (VRID) and priority value of each router. Use VRID to group routers. Routers with the same VRID value are in the same group, and VRID is a positive integer from 0 to 255; the same The routers in the group elect the MASTER by using the priority value. The higher priority is the MASTER, and the priority is also a positive integer from 0 to 255.
The VRRP protocol uses multicast data to transmit VRRP data. VRRP data uses a special virtual source MAC address to send data instead of the MAC address of its own network card. When VRRP is running, only the MASTER router regularly sends VRRP advertisement information, indicating that the MASTER works normally and the virtual router IP address (group), BACKUP only receives VRRP data and does not send data. If the notification information of MASTER is not received within a certain period of time, each BACKUP will announce itself as a MASTER, send notification information, and re-run the MASTER election state.
2.2 MASTER election
If the external virtual router IP is the IP address configured by the router itself, the router is always a MASTER;
otherwise, if it does not have a virtual IP, a MASTER election will be performed, and each router will announce itself as a MASTER and send VRRP advertisement information ;
If the priority of the notification information sent by other machines is higher than that of itself, it will return to the BACKUP state;
if the priorities are equal, the actual IP of the router will be compared, and the higher IP value will have higher priority ;
If the virtual router IP is the IP of the router itself, the router will always be MASTER, and the priority value at this time is 255.
2.3 Protocol state machine
VRRP protocol state is relatively simple, there are three states, initialization, host, backup machine.
初始化:
路由器启动时,如果路由器的优先级是255(最高优先级,路由器拥有路由器地址),要发送VRRP通告信息,并发送广播ARP信息通告路由器IP地址对应的MAC地址为路由虚拟MAC,设置通告信息定时器准备定时发送VRRP通告信息,转为MASTER状态;
否则进入BACKUP状态,设置定时器检查定时检查是否收到MASTER的通告信息。
主机:
主机状态下的路由器要完成如下功能:
设置定时通告定时器;
用VRRP虚拟MAC地址响应路由器IP地址的ARP请求;
转发目的MAC是VRRP虚拟MAC的数据包;
如果是虚拟路由器IP的拥有者,将接受目的地址是虚拟路由器IP的数据包,否则丢弃;
当收到shutdown的事件时删除定时通告定时器,发送优先权级为0的通告包,转初始化状态;
如果定时通告定时器超时时,发送VRRP通告信息;
收到VRRP通告信息时,如果优先权为0,发送VRRP通告信息;否则判断数据的优先级是否高于本机,或相等而且实际IP地址大于本地实际IP,设置定时通告定时器,复位主机超时定时器,转BACKUP状态;否则的话,丢弃该通告包;
备机:
备机状态下的路由器要实现以下功能:
设置主机超时定时器;
不能响应针对虚拟路由器IP的ARP请求信息;
丢弃所有目的MAC地址是虚拟路由器MAC地址的数据包;
不接受目的是虚拟路由器IP的所有数据包;
当收到shutdown的事件时删除主机超时定时器,转初始化状态;
主机超时定时器超时的时候,发送VRRP通告信息,广播ARP地址信息,转MASTER状态;
收到VRRP通告信息时,如果优先权为0,表示进入MASTER选举;否则判断数据的优先级是否高于本机,如果高的话承认MASTER有效,复位主机超时定时器;否则的话,丢弃该通告包;
2.4 ARP查询处理
当内部主机通过ARP查询虚拟路由器IP地址对应的MAC地址时,MASTER路由器回复的MAC地址为虚拟的VRRP的MAC地址,而不是实际网卡的MAC地址,这样在路由器切换时让内网机器觉察不到;而在路由器重新启动时,不能主动发送本机网卡的实际MAC地址。如果虚拟路由器开启的ARP代理(proxy_arp)功能,代理的ARP回应也回应VRRP虚拟MAC地址;
2.5 VRRP应用举例
这是通常VRRP使用拓扑,两台路由器运行VRRP互为备份,路由器1作为VRID组1的MASTER,IP地址A,VRID组2的BACKUP,路由器2作为VRID组2的MASTER,IP地址B,VRID组1的BACKUP,内部网络中一部分机器的缺省网关地址是IP地址A,一部分是IP地址B,正常情况下以A为网关的数据将走路由器1,以B为网关的数据将走路由器2,如果一台路由器发生故障,所有数据将走另一台路由器。
3. 协议定义
3.1 以太头
源MAC地址必须为虚拟MAC地址:00-00-5E-00-01-{VRID},VRID为虚拟路由器ID值,16进制格式,所以同一网段中最多有255个VRRP路由器;目的MAC为多播类型的MAC。
这里可以看出VRID非常重要
3.2 IP头参数
VRRP包的源地址是本机地址,目的地址必须为224.0.0.18,为一多播地址;IP协议号为112;IP包的TTL值必须为255。
3.3 VRRP协议数据格式
其中:
version:版本,4位,在RFC3768中定义为2;
Type:类型,4位,目前只定义一种类类型:通告数据,取值为1;
Virtual Rtr ID:虚拟路由器ID,8位
Priority:优先级,8位,具备冗余IP地址的设备的优先级为255;
Count IP Addrs:VRRP包中的IP地址数量,8位;
Auth Type:认证类型,8位,RFC3768中认证功能已经取消,此字段值定义0(不认证),为1,2只作为对老版本的兼容;
Adver Int:通告包的发送间隔时间,8位,单位是秒,缺省是1秒;
Checksum:校验和,16位,校验数据范围只是VRRP数据,即从VRRP的版本字段开始的数据,不包括IP头;
IP Address(es):和虚拟路由器相关的IP地址,数量由Count IP Addrs决定
Authentication Data:RFC3768中定义该字段只是为了和老版本兼容,必须置0。
3.4 接收数据时的必须检查
收到VRRP数据包时要进行以下验证,不满足的数据包将被丢弃:
- TTL必须为255;
- VRRP版本号必须为2;
- 一个包中数据字段必须完整;
- 校验和必须正确;
- 必须验证在接收的网卡上配置了VRID值,而且本地路由器不是路由IP地址的拥有者
- 必须验证VVRP认证类型和配置的一致;
4. 结论
VRRP实现了对路由器IP地址的冗余功能,防止了单点故障造成的网络失效,VRRP本身是热备形式的,但可以通过互相热备实现路由器的均衡处理,新版的VRRP较老版简化了认证处理,实际不再进行数据的认证,这是因为在实际应用中经常出现认证成为造成多个MASTER同时使用的异常情况。
-
-
-
eee
ee
e