vrrp alp

VRRP on ERS5000 Series (V2)

Alp IŞIK

NTS Engineer

[email protected]

1. Introduction

There are a number of methods that an end-host can use to determine its first hop router towards a particular IP destination. such as Routing Information Protocol [RIP] or OSPF version 2 [OSPF] or using a statically configured default route. Running a dynamic routing protocol on every end-host may be infeasible for a number of reasons, including administrative overhead, processing overhead, security issues, or lack of a protocol implementation for some platforms. The use of a statically configured default route is quite popular;

It minimizes configuration and processing

overhead on the end-host and is supported by

virtually every IP implementation. However, this

creates a single point of failure. Loss of the

default router results in a catastrophic event,

isolating all end-hosts that are unable to detect

any alternate path that may be available.

PC-1

PC-2

WAN

Ip addr 10.10.10.11/24

Def GW 10.10.10.3

Ip Addr 10.10.10.12/24

Def GW 10.10.10.4

IP Addr 10.10.10.3/24 IP Addr 10.10.10.4/24

The Virtual Router Redundancy Protocol

(VRRP) is designed to eliminate the single

point of failure inherent in the static default

routed environment. VRRP specifies an

election protocol that dynamically assigns

responsibility for a virtual router to one of

the VRRP routers on a LAN.

The VRRP router controlling the IP address(es) associated with a virtual router is called the Master, and forwards packets sent to these IP addresses. The election process provides dynamic fail-over in the forwarding responsibility should the Master become unavailable. Any of the virtual router’s IP addresses on a LAN can then be used as the default first hop router by end-hosts. The advantage gained from using VRRP is a higher availability default path without requiring configuration of dynamic routing or router discovery protocols on every end-host. (rfc 3768)

PC-1

PC-2

WAN

Ip addr 10.10.10.11/24

Def GW 10.10.10.1 (vrrp ip)

Ip Addr 10.10.10.12/24

Def GW 10.10.10.1 (vrrp ip)

IP Addr 10.10.10.3/24

Vrrp ip 10.10.10.1

IP Addr 10.10.10.4/24

Vrrp ip 10.10.10.1

VRRP backup Router

VRRP master router

VRRP Master

Definitions

• VRRP Router : A router running the Virtual Router Redundancy Protocol.

• Virtual Router : An abstract object managed by VRRP that acts as a default router for hosts on a shared LAN. It consists of a Virtual Router Identifier and a set of associated IP address(es) across a common LAN. A VRRP Router may backup one or more virtual routers.

• IP Address Owner : The VRRP router that has the virtual router’s IP address(es) as real interface address(es). This is the router that, when up, will respond to packets addressed to one of these IP addresses for ICMP pings, TCP connections, etc.

• Virtual Router Master The VRRP router that is assuming the responsibility of forwarding packets sent to the IP address(es) associated with the virtual router, and answering ARP requests for these IP addresses. Note that if the IP address owner is available, then it will always become the Master.

• Virtual Router Backup The set of VRRP routers available to assume forwarding responsibility for a virtual router should the current Master fail.

VRRP Overview

The virtual router MAC address is used as the source in all periodic VRRP messages sent by the Master router. A virtual router is defined by its virtual router identifier (VRID) and a set of IP addresses. To minimize network traffic, only the Master for each virtual router sends periodic VRRP Advertisement messages. A Backup router will not attempt to preempt the Master unless it has higher priority. This eliminates service disruption unless a more preferred path becomes available. VRRP packets are sent encapsulated in IP packets. They are sent to the IPv4 multicast address assigned to VRRP.

VRRP Packet Format

IP Field Descriptions & Vrrp Parameter definitions

• Source Address : The primary IP address of the interface the packet is being sent from.

• Destination Address :The IP multicast address as assigned by the IANA for VRRP is: 224.0.0.18

• TTL : The TTL MUST be set to 255. A VRRP router receiving a packet with the TTL not equal to 255 MUST discard the packet.

• Protocol : The IP protocol number assigned by the IANA for VRRP is 112 (decimal).

• Version : The version field specifies the VRRP protocol version of this packet.

• Type : The type field specifies the type of this VRRP packet. The only packet type defined in this version of the protocol is: 1 ADVERTISEMENT

• Virtual Rtr ID (VRID) : The Virtual Router Identifier (VRID) field identifies the virtual router this packet is reporting status for. Configurable item in the range 1-255 (decimal). There is no default.

• Priority : The priority field specifies the sending VRRP router’s priority for the virtual router. Higher values equal higher priority. This field is an 8 bit unsigned integer field. VRRP routers backing up a virtual router MUST use priority values between 1-254 (decimal). The default priority value for VRRP routers backing up a virtual router is 100 (decimal).

The priority value zero (0) has special meaning indicating that the current Master has stopped participating in VRRP. This is used to trigger Backup routers to quickly transition to Master without having to wait for the current Master to timeout. The value of 0 (zero) is reserved for Master router to indicate it is releasing responsibility for the virtual router.

• Authentication Type : ERS5500 series has no authentication.

• Critical-ip <ipaddr> : A locally configured IP address to use as a trigger for releasing control of the virtual router. Critical IP is not advised to configure with backup-master feature at both 5500 and 8600 series.

• Advertisement Interval (Adver Int) : The Advertisement interval indicates the time interval (in seconds) between ADVERTISEMENTS. The default is 1 second. This field is used for troubleshooting misconfigured routers.

• Skew_Time : Time to skew Master_Down_Interval in seconds.

Calculated as: ( (256 - Priority) / 256 )• Master_Down_Interval : Time interval for Backup

to declare Master down (seconds). Calculated as: (3 * Advertisement_Interval) + Skew_time

• Preempt_Mode : Controls whether a higher priority Backup router preempts a lower priority Master. Values are True to allow preemption and False to prohibit preemption. Default is True. Note: Exception is that the router that owns the IP address(es) associated with the virtual router always preempts independent of the setting of this flag.

• Checksum : The checksum field is used to detect data corruption in the VRRP message. The checksum is the 16-bit one’s complement of the one’s complement sum of the entire VRRP message starting with the version field. For computing the checksum, the checksum field is set to zero. See RFC 1071 for more detail [CKSM].

• Fast advertisement : is proprietary to ERS supporting an advertising interval from 200 to 1000 ms with a default value of 200ms

VRRP Packets• used to communicate between VRRP routers.• use the following addresses:

– Destination IP address:» 224.0.0.18

– Destination MAC address:» 01-00-5E-00-00-12

– Source MAC address» 00-00-5E-00-01-{0xVRID}

VRRP states

Initialize – Wait to be enabled.

• Backup– Responsibilities:

– MUST NOT respond to ARP requests for the IP address associated with the virtual router.

– MUST discard packets with a destination MAC address equal to the virtual router MAC address.

– MUST NOT accept packets addressed to the IP address associated with the virtual router.

– Transition to the Master state.

• Master– Responsibilities:

– MUST respond to ARP requests for the IP address associated with the virtual router.

– MUST forward packets with a destination MAC address equal to the virtual router MAC address.

– MUST NOT accept packets addressed to the IP address associated with the virtual router if it is not the IP address owner. (included at the RFC, not seen at the Nortel)

– MUST accept packets addressed to the IP address associated with the virtual router if it is the IP address owner.

Determining Master

Upon receipt of a VRRP packet a VRRP router should:

• Compare VRID in packet to internal VRIDs.– Don’t match: discard packet.– Do match: compare priorities.

• Compare VRRP priority.– Packet priority higher: transition to Backup.– Internal priority higher: transition to Master.– Equal: compare sender’s IP address. Highest IP

address is the master.

Events that result in a Backup VRRP router becoming Master.

• Receive a VRRP packet with priority lower than internal priority.

• Backup does not receive a VRRP packet within the Master_Down_Interval

• VRRP Master sends a packet with priority 0 indicating it is relinquishing control of the virtual router.

ERS 5500 Implementations & backup-master behavior

Layer 2 Switch

SMLT

IST

PC-2 PC-3

VRRP-backup(both VLANs)

VRRP-master(both VLANs)

Initial Setup

Layer 2 Switch

PC-1

Layer 2 Switch

PC-2 PC-3



Q01737679 problem

Layer 2 Switch

PC-1

Packet fro PC1 to PC2 (dest MAC = VRRP MAC)

Based on MLT distributionPacket could be sent to backup

As 5x00 is not owner of the VRRP MACPacket is switched to VRRP Master

Packet should be routed to PC2

due to CR Q01737679 (5x00 hardware limitation) packet is dropped when coming from IST to SMLT (when SMLT is in state “SMLT”)

-master

Layer 2 Switch

PC-2 PC-3


Solution for Q01737679

Layer 2 Switch

PC-1

Packet fro PC1 to PC2 (dest MAC = VRRP MAC)

Based on MLT distributionPacket could be sent to backup

5x00 now owner of the VRRP MACPacket is routed to PC2


Layer 2 Switch

PC-2 PC-3

VRRP-backup-masterVRRP-master

Link down

Link down situation

Layer 2 Switch

PC-2 PC-3


VRRP hello

VRRP hello not forwarded due to CR Q01990799

VRRP MAC aged – not re learned as no VRRP hellos arriving

Packet fro PC1 to VRRP MAC flooded as no FDB entry exists !!!

Flooding of all packets on L2 switch

Layer 2 Switch

PC-2 PC-3


VRRP hello

VRRP hello all 10 sec from backup masterCR Q01990790

VRRP MAC learned all 10 sec

Packet fro PC1 to VRRP MAC

CR Q01990790 resolves the flooding issue

DAW NetApp problem

SMLT

IST VRRP-backup(both VLANs)


Initial Setup

PC-1

5x00 D2 .5x00 D1 .

Layer 2 SwitchLayer 2 Switch

8300 8300

NetApp

Packet to the Server

PC-1

5x00 D2 .5x00 D1 .


8300 8300

PC sends Packet to default Gatewaywhich is VRRP MAC address00:00:5e:00:01.xx

Packet is sent either the blue

or the red path depending onthe MLT distribution

If blue path is used -Packet is routed by the D1as it is VRRP master andthe packet is destined to VRRP MAC address

If red path is used -Packet is routed by the D2as it is VRRP backup-master and the packet is destined to VRRP MAC address

Packet is forwarded to destination

NetApp

Packet from the Server (DAW behavior)

PC-1

5x00 D2 .5x00 D1 .


8300 8300

Server sends Packet to MAC addresswhere it received the packet fromnot the default gateway VRRP addresse.g. MAC address of D1



If blue path is used -Packet is routed by the D1as the destination MAC is its own MAC

If red path is used -Packet has D1 MAC thereforemust be sent to D1 across ISTPacket is switched not routed(VRRP cannot be used)


If red path is used -Packet cannot be forwarded to SMLT coming from the IST.Therefore packet is lost

NetApp

Packet from the Server re-transmission - 1

PC-1

5x00 D2 .5x00 D1 .


8300 8300

Server sends Packet to MAC addresswhere it received the packet fromnot the default gateway VRRP addresse.g. MAC address of D1



If red path is used -Packet has D1 MAC thereforemust be sent to D1 across ISTPacket is switched not routed(VRRP cannot be used)

If red path is used -Packet cannot be forwarded to SMLT coming from the IST.Therefore packet is lost

NetApp

Packet from the Server re-transmission - 2

PC-1

5x00 D2 .5x00 D1 .


8300 8300

Server sends Packet to VRRP MAC address



If red path is used -Packet has VRRP MAC thereforeD2 will use the backup-masterfunction to route the packet


NetApp

Conclusion:

• Due to the hardware limitation in the 5x00 (Q01737679) the VRRP backup-master function must be used in an IST/SMLT design with 5x00s.

• Another limitation prevents VRRP hellos to be forwarded by the VRRP backup-master (Q01990799). To overcome this limitation the backup-master will generate VRRP hellos all 10 sec itself (Q01990790).

• Therefore the 5x00 must not be used in a non-SMLT design with the VRRP backup master-function enabled

• ERS Vrrp trap Messages

Transition Type:

1 - None2 - Master to Backup3 - Backup to Master4 - Initialize to Master5 - Master to initialize6 - Initialize to Backup7 - Backup to Initialize8 - Backup to Backup Master9 - Backup Master to Backup

• Transition Cause:

1 - None2 - Higher priority advertisement received3 - Shutdown received4 - VRRP Address and Physical Address match5 - Master Down interval6 - Preemption7 - Critical IP goes down8 - User Disabling VRRP9 - VRRP status synced from primary10 - IP interface on which VRRP is configured goes down.11 - Lower Priority Advertisement received12 - Advertisement received from Higher interface IP address with Equal priority13 - Advertisement received from Lower interface IP address with Equal priority14 - User enabled VRRP 15 - Transition because of any other cause

Troubleshooting suggestions

• Begin by determining which interfaces are running VRRP.

• Make note of the state of each interface (ie. Master or Backup).

• Look at the configured parameters, such as VRIDs and IP addresses, for each interface and be sure they match on all VRRP routers. Same vrid should not use at the different vlans.

• Capture the VRRP packets and be sure they are coming from the expected router at the expected time interval.Note : ERS5500 series must have advance licence to configure vrrp.

Sniffer considerations

• ARP replies from the VRRP IP address will have a source MAC of the Passport interface (the packet will contain the VRRP MAC).

• ICMP echo replies from the VRRP IP address will use the VRRP MAC as the source.**

• Packets being routed back through a VRRP interface will use the Passport MAC address as the source MAC.

Note : At ERS8300- ERS8600, it’s advised to configure RSMLT instead of VRRP for the square or full mesh structures.

• Thanks

References

• RFC 3768

• Dan Duisenberg

J_-_Passport_8600_Class_-_VRRP.ppt

• Juergen Arlt VRRP_5x00.ppt, DAW_5x00.ppt

• PP8600_TCG_for_VRRP

vrrp alp

Documents