O1 /
VRRP basic concept and principle of
-VRRP basic concepts -
With the development of the Internet, people on the network higher reliability. For LAN users, the ability to stay connected with the external network is very important.
Typically, all hosts on the internal network are set to the same default route to the gateway, (i.e., Router A router in FIG. 1), the hosts can communicate with external networks. If the egress gateway fails, communication between the host and external networks is interrupted.
Configure multiple egress gateway is a common method to improve system reliability, but the host devices within a LAN do not support dynamic routing protocol, how to choose a path from multiple egress gateways is a problem.
IETF (Internet Engineering Task Force, Internet Engineering Task Force) launched a VRRP (Virtual Router Redundancy Protocol) virtual routing redundancy protocol to address reliability issues LAN hosts access external networks.
VRRP is a fault-tolerant protocol, the routing device by several jointly form a virtual routing devices, and through a mechanism to ensure that when the next-hop device when a host fails, it is possible to switch traffic to other devices, in order to maintain the continuity and reliability of communication.
The advantage of using VRRP is that: without changing the networking situation, do not need to configure any routes or dynamic routing protocols on the host discovery, you can get a default route with higher reliability.
VRRP protocol corresponds to the RFC3768, the protocol applies only to IPv4.
1.VRRP router (VRRP Router) running VRRP, it may belong to one or more virtual routers.
2. virtual router (Virtual Router) an abstract device managed by VRRP, also called a VRRP backup group, is treated as a shared LAN default gateway hosts. It includes a virtual router identifier and a set of virtual IP addresses.
3. Virtual IP address (Virtual IP Address) IP address of virtual router, a virtual router can have one or more IP addresses configured by the user.
4.IP address owner (IP Address Owner) If a VRRP router virtual IP address of the router as the actual interface address, the device is the IP address owner. When this device is working properly, it will respond to the packet destination address is a virtual IP address, such as ping, TCP connections.
The virtual router MAC address is a virtual ID generated from the MAC address of the virtual router. A virtual router has a virtual MAC address in the format: 00-00-5E-00-01- {VRID}. When the virtual router responds to ARP requests, using the virtual MAC address, rather than the actual MAC address of the interface.
6. The primary IP address (Primary IP Address) selected out of the real IP address Interface IP address of a primary, generally choose to configure the first IP address, the VRRP broadcast packets using the primary IP address as the source address of IP packets .
7.Master router (Virtual Router Master) is to assume that forwards packets or answering VRRP router ARP request, forwards packets are sent to the virtual IP address. If the IP address owner is available, it usually functions as Master.
8.Backup router (Virtual Router Backup) a set of VRRP routers do not forward when the Master device fails, they will become the new Master through the campaign.
9. preemption mode in preemption mode, if the priority is higher than the current Backup Master priority will take the initiative to update itself as Master.
-VRRP works -
VRRP router will set a LAN into a backup group that functions as a virtual router. Host on the LAN only need to know the IP address of the virtual router does not need to know the IP address of a specific piece of equipment, the default gateway hosts set the IP address of the virtual router, the host can use the virtual gateway communicate with the external network.
VRRP dynamically associates the virtual router with a physical router transmits services. When the physical router fails again to choose a new router to take over the business transfer work, the whole process is completely transparent to users, to achieve internal and external networks without interruption communication.
Host through the virtual gateway communicate with external networks. Routers work mechanism is as follows:
the selection of Master device according to the priority size. Master of elections in two ways:
comparing the size priority, the highest priority is elected as the Master.
When the same router at the same time competition two priority Master, comparing the interface IP address size. Large interface address is elected as the Master.
Other router as a backup router, at any time monitor the status of Master.
When the main router is working properly, it will intervals (of Advertisement_Interval) sends a VRRP multicast packet to inform backup routers in the group, the main router in a normal working state.
When the backup router within a period of time (Master_Down_Interval) in the group not receive packets independent of the router, the router will own turn-based. When a VRRP backup group in more than one router, a short time may produce multiple Master, at this time, the router will receive VRRP packets priority and local precedence for comparison. In order to select high-priority equipment to do the Master.
O2 /
VRRP packets and State Machine
Version: protocol version, now VRRP version 2.
Type: message type, only one value, 1, represents Advertisement.
Virtual Rtr ID (VRID): virtual router ID, ranging from 1 to 255.
Priority: VRRP router sending packets priority virtual router. Ranges from 0 to 255, where the available range is represented by the device 1 to stop participating in the VRRP 254.0, used to be the main router the backup router as soon as possible, without waiting timer expires; 255 reserved for the IP address owner. The default value is 100.
Count IP Addrs: number of virtual IP address of VRRP broadcast included.
Authentication Type: Authentication type Description: The
reasons for the change: practice and analysis has proved that these authentication methods can not provide real security. The restrictions TTL = 255 blocks most of the local vulnerability ***.
Achieved Simple Text Password authentication
Advertisement Interval: sending advertisement packets interval defaults to 1 second.
Checksum: checksum.
IP Address (es): IP address, the number of virtual router address is the value of Count IP Addrs.
Authentication Data: Authentication key. Currently only plain text authentication was used in this section, for other authentication modes, and is 0.
-VRRP state machine -
VRRP protocol defines three types of state machines: an initial state (Initialize), active state (Master), backup status (Backup). Among them, only the active device can forward those packets to the virtual IP address.
Initialize
This state is entered when the device starts Startup when a message is received the interface and will be transferred or Backup Master state (IP address of the interface has priority's 255, directly into Master). In this state, it will not do anything for VRRP packets.
Master
When the router is in the Master state, it must do the following:
periodically send VRRP packets.
The virtual MAC address to respond to ARP requests for the virtual IP address.
Forwarding destination MAC address is a virtual MAC address of the IP packet.
If it is the owner of the virtual IP address, the IP address for the purpose of receiving the virtual IP address of the IP packet. Otherwise, discard the IP packet.
If you receive a larger than their priority packets to Change to the Backup state.
If you receive the same priority and their own messages, and the sender's primary IP address than their primary IP address, then turn Backup state.
When receiving the Shutdown event interface, turn Initialize.
Backup
When the router is in the Backup state, it must do the following:
receiving a Master sending VRRP packets, judging Master status is normal.
ARP requests for the virtual IP address, not respond.
Discard the destination MAC address is a virtual MAC address of the IP packet.
Discard the destination IP address is a virtual IP address of the IP packet.
The Backup state if the priority is lower than their received packets, discard packets, the timer is not reset; if their priorities and receive the same packet, the timer is reset, the IP address does not compare.
When an event is received MASTER_DOWN_TIMER Backup timer expires, it will turn Master (Master_Down_Timer).
When receiving the Shutdown event interface to the Initialize
O3 /
the VRRP arranged
a group backing up the configuration example .VRRP
- Network requirements
• • Host A needs to access Host B on the Internet, the default gateway of Host A is 10.1.1.111/24;
• • When Switch A normal working hours, Host A sends packets to Host B are forwarded through Switch A ; Switch a occurs when the
failure, Host a to Host B transmits packets are forwarded by Switch B.
Configuration procedure
NOTE: IntranetSwitch only play the role of the exchange, in this case do not Configuration
(1) Configuration of Switch A VLAN2,3.
<SwitchA> System-View
[SwitchA] VLAN 2
[SwitchA-VLAN2] Port GigabitEthernet 1/0/11
[SwitchA-VLAN2] quit
[SwitchA] interface VLAN-interface 2
[SwitchA-of Vlan-interface2] IP address 10.1.1.1 255.255 .255.0
[SwitchA-of Vlan-interface2] quit
[SwitchA] VLAN. 3
[SwitchA-VLAN3] Port GigabitEthernet 1/0/13
[SwitchA-VLAN3] quit
[SwitchA] interface VLAN-interface. 3
[SwitchA-of Vlan-interface3] IP address 255.255.255.0 10.1.3.1
[SwitchA-Implementation Methods of Vlan-interface3] quit 
[SwitchA] ip route-static 0.0.0.0 0 10.1.3.2
create backup group 1 and configure virtual IP address of the backup group 1 is 10.1.1.111.
[SwitchA] inter vlan 2
[SwitchA-Vlan-interface2] vrrp vrid 1 virtual-ip 10.1.1.111
disposed Switch A backup group 1 priority 110, Switch B is higher than the priority of 100, to ensure that the Master Switch A becomes responsible for forwarding traffic.
[SwitchA-Vlan-interface2] vrrp vrid 1 priority 110
Configure Switch A to work in preemptive mode, in order to ensure that the Switch A recovers, it preempts again become Master, that is, as long as Switch A normal work, forwarded by Switch A is responsible for traffic. In order to avoid frequent switching state, preemption delay of 5 seconds.
[SwitchA-of Vlan-interface2] VRRP vrid-MODE. 1 preempt Delay 500 
(2) Configuration Switch B
configuration VLAN2.
<SwitchB> System-View
[SwitchB] VLAN 2
[SwitchB-Vlan2] Port GigabitEthernet 1/0/12
[SwitchB-VLAN2] quit
[SwitchB] interface VLAN-interface 2
[SwitchB-of Vlan-interface2] IP address 10.1.1.2 255.255 .255.0
[SwitchB-of Vlan-interface2] quit
[SwitchB] VLAN. 3
[SwitchB-VLAN3] Port GigabitEthernet 1/0/14
[SwitchB-VLAN3] quit
[SwitchB] interface VLAN-interface. 3
[SwitchB-of Vlan-interface3] 255.255.255.0 IP address 10.1.4.1
[SwitchB-of Vlan-interface3] quit
[ SwitchB] ip route-static 0.0.0.0 0 10.1.4.2
create backup group 1 and configure virtual IP address of the backup group 1 is 10.1.1.111.
[SwitchB] interface VLAN-interface 2
[SwitchB-of Vlan-interface2] 1 VRRP vrid Virtual-IP 10.1.1.111
disposed Switch B backup group 1 priority 100.
[SwitchB-Vlan-interface2] vrrp vrid 1 priority 100
disposed Switch B work in preemptive mode, preemption delay to five seconds. 
(3) Configuration Switch C
configuration VLAN2.
<SwitchC> System-View
[SwitchC] Inter G 1/0/13
[SwitchC-GigabitEthernet / 0/13 is] Port Link-MODE route
[SwitchC-GigabitEthernet1/0/13]ip add 10.1.3.2 24
[SwitchC-GigabitEthernet1/0/13]undo shut
[SwitchC-GigabitEthernet1/0/13]quit
[SwitchC] inter g 1/0/14
[SwitchC-GigabitEthernet1/0/14]port link-mode route
[SwitchC-GigabitEthernet1/0/14]ip add 10.1.4.2 24
[SwitchC-GigabitEthernet1/0/14]undo shut
[SwitchC-GigabitEthernet1/0/14]quit
[SwitchC] vlan 2
[SwitchC-Vlan2] port gigabitethernet 1/0/1
[SwitchC-vlan2] quit
[SwitchC] interface vlan-interface 2
[SwitchC-Vlan-interface2] ip address 10.1.2.2 255.255.255.0
[SwitchC-Vlan-interface2]quit
[SwitchC]ip route 10.1.1.0 24 10.1.3.1
[SwitchC]ip route 10.1.1.0 24 10.1.4.1
- 验证配置
配置完成后,在 Host A上可以 ping通 Host B。通过 display vrrp verbose 命令查看配置后的结果。
显示 Switch A 上备份组 1 的详细信息。
二.多个VLAN中的VRRP备份组配置举例
- 组网需求
• • VLAN 2 内主机的缺省网关为 10.1.1.100/25;VLAN 3 内主机的缺省网关为 10.1.1.200/25;
• • Switch A 和 Switch B 同时属于虚拟 IP 地址为 10.1.1.100/25 的备份组 1 和虚拟 IP 地址为
10.1.1.200/25 的备份组 2;
• • 在备份组 1中 Switch A的优先级高于Switch B,在备份组 2中 Switch B的优先级高于 Switch
A,从而保证 VLAN 2 和 VLAN 3 内的主机分别通过 Switch A 和 Switch B 通信,当 Switch A
或 Switch B 出现故障时,主机可以通过另一台设备继续通信,避免通信中断。
配置步骤
(1) 配置 Switch A
<H3C> system-view
[H3C]hostname SwitchA
[SwitchA]inter range g 1/0/21 to g 1/0/24
[SwitchA-if-range]port link-type trunk
[SwitchA-if-range]port trunk per vlan all
[SwitchA-if-range]quit
配置 VLAN 2。
[SwitchA] vlan 2
[SwitchA-vlan2] quit
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 10.1.1.1 255.255.255.128
创建备份组 1,并配置备份组 1 的虚拟 IP 地址为 10.1.1.100。
[SwitchA-Vlan-interface2] vrrp vrid 1 virtual-ip 10.1.1.100
设置 Switch A 在备份组 1 中的优先级为 110,高于 Switch B 的优先级 100,以保证在备份组 1中 Switch A 成为 Master 负责转发流量。
[SwitchA-Vlan-interface2] vrrp vrid 1 priority 110
[SwitchA-Vlan-interface2] quit
配置 VLAN 3。
[SwitchA] vlan 3
[SwitchA-vlan3] quit
[SwitchA] interface vlan-interface 3
[SwitchA-Vlan-interface3] ip address 10.1.1.130 255.255.255.128
创建备份组 2,并配置备份组 2 的虚拟 IP 地址为 10.1.1.200。
[SwitchA-Vlan-interface3] vrrp vrid 2 virtual-ip 10.1.1.200
[SwitchA-Vlan-interface3]quit
[SwitchA]inter g 1/0/1
[SwitchA-GigabitEthernet1/0/1]port link-m r
[SwitchA-GigabitEthernet1/0/1]ip add 10.1.3.1 24
[SwitchA-GigabitEthernet1/0/1]undo shut
[SwitchA-GigabitEthernet1/0/1]quit
[SwitchA]ip route-static 0.0.0.0 0 10.1.3.2
配置 Switch B
<H3C> system-view
[H3C]hostname SwitchB
[SwitchB]inter range g 1/0/21 to g 1/0/24
[SwitchB-if-range]port link-type trunk
[SwitchB-if-range]port trunk per vlan all
[SwitchB-if-range]quit
配置 VLAN 2。
[SwitchB] vlan 2
[SwitchB-vlan2] quit
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address 10.1.1.2 255.255.255.128
创建备份组 1,并配置备份组 1 的虚拟 IP 地址为 10.1.1.100。
[SwitchB-Vlan-interface2] vrrp vrid 1 virtual-ip 10.1.1.100
[SwitchB-Vlan-interface2] quit
配置 VLAN 3。
[SwitchB] vlan 3
[SwitchB-vlan3] quit
[SwitchB] interface vlan-interface 3
[SwitchB-Vlan-interface3] ip address 10.1.1.131 255.255.255.128
创建备份组 2,并配置备份组 2 的虚拟 IP 地址为 10.1.1.200。
[SwitchB-Vlan-interface3] vrrp vrid 2 virtual-ip 10.1.1.200
设置 Switch B 在备份组 2 中的优先级为 110,高于 Switch A 的优先级 100,以保证在备份组 2
中 Switch B 成为 Master 负责转发流量。
[SwitchB-Vlan-interface3] vrrp vrid 2 priority 110
[SwitchA-Vlan-interface3]quit
[SwitchA]inter g 1/0/2
[SwitchA-GigabitEthernet1/0/2]port link-m r
[SwitchA-GigabitEthernet1/0/2]ip add 10.1.4.1 24
[SwitchA-GigabitEthernet1/0/2]undo shut
[SwitchA-GigabitEthernet1/0/2]quit
[SwitchA]ip route-static 0.0.0.0 0 10.1.4.2
(3)配置SwitchC
<H3C> system-view
[H3C]hostname SwitchC
[H3C]vlan 2
[H3C-vlan2]port g 1/0/1 to g 1/0/10
[H3C-vlan2]quit
[H3C]vlan 3
[H3C-vlan3]port g 1/0/11 to g 1/0/20
[H3C-vlan3]quit
[SwitchC]inter range g 1/0/21 to g 1/0/24
[SwitchC-if-range]port link-type trunk
[SwitchC-if-range]port trunk per vlan all
[SwitchC-if-range]quit
4)配置SwitchD
<H3C> system-view
[H3C]hostname SwitchD
[SwitchD]inter g 1/0/1
[SwitchD-GigabitEthernet1/0/1]port link-m r
[SwitchD-GigabitEthernet1/0/1]ip add 10.1.3.2 24
[SwitchD-GigabitEthernet1/0/1]undo shut
[SwitchD-GigabitEthernet1/0/1]quit
[SwitchD]inter g 1/0/2
[SwitchD-GigabitEthernet1/0/2]port link-m r
[SwitchD-GigabitEthernet1/0/2]ip add 10.1.4.2 24
[SwitchD-GigabitEthernet1/0/2]undo shut
[SwitchD-GigabitEthernet1/0/2]quit
[SwitchD]inter g 1/0/11
[SwitchD-GigabitEthernet1/0/11]port link-m r
[SwitchD-GigabitEthernet1/0/11]ip add 10.1.2.1 24
[SwitchD-GigabitEthernet1/0/11]undo shut
[SwitchD-GigabitEthernet1/0/11]quit
[SwitchD]ip route-s 10.1.1.0 24 10.1.3.1
[SwitchD]ip route-s 10.1.1.0 24 10.1.4.1
- Verify the configuration
can view the results after the configuration of the display vrrp verbose command.
A display detailed information on the backup group Switch.
[SwitchA] display vrrp verbose
display detailed information on the group B Backup Switch.
[SwitchB] display vrrp verbose
information indicates that in VRRP group. 1 Switch A is the Master, Switch B is Backup, the default gateway 10.1.1.100/25
host to access the Internet through Switch A; VRRP group 2 Switch A is Backup, Switch B is the master, the default network
gateway of 10.1.1.200/25 host accesses the Internet through Switch B.