...
...
Description
At the present time most of the large LANs are built with a router in the center. In such LANs virtual networks with routing are usually organized, redundant connections between devices are provided and additional central router is installed. While this kind of structure might seem to be reliable, it is the central router that seems to be the vulnerability of the system. In the case of central router’s malfunctioning, there might be a few scenarios, each of which would require a system administrator to interfere: workstations configuration in order they could work with other router as a gateway, changing the configuration of a redundant unit, additional router installation etc.
VRRP server is VRRP server is able to keep the network alive in case any of the described situations occurs In fact, the server provides with giving the “responsibilities” from one device to another if the first one fails. When VRRP server is if main router becomes unavailable, by giving it's "responsibilities" to a backup router. When VRRP server is used additional router automatically comes onto operation, that allows significantly reduce the system administrator duty.
Each redundant router backup router should be a part of virtual router (VR). For VR there is a list of its VR IP-addresses. At the time one of routers becomes a primary one VR has an IP addresses list. At time a router becomes the main, it starts to serve each of this list IP-addresses IP addresses from this list (i.e. to reply on ARP-replys on ARP requests and takes the host functions with these IP-these IP addresses).VR is VR is referred to by its identifier – the number in 1…255 range 1…255 (VRID).
Hence, the logic of VRRP-The VRRP server operations is the logic is following:
- Several VRRP routers form VR. Each VR is operated on several VRRP routers, each of them has identical VRID and identical list of IP-addresses;identical IP addresses list.
- The main router should be selected from the list of VRRP-of VRRP routers (MASTER mode). Other ones get the status of slave routers (BACKUP mode). The main router periodically sends special packets (sweeping). By receiving these packets, BACKUP routers make a decision about MASTER’s availability.
- In the case of the main router failure (there are no keep-alive-messages from MASTER for a long time) one of the a slave routers becomes the main router and starts to process packets addressed to VRto VR.
The main virtual router selecting is implemented automatically: this status gets the router with the highest priority or (in the case their equality) – with the biggest network interface IP-"primary" network interface IP address.
Full syntax:
vrrp Syntax:
| Code Block |
|---|
|
Virtual Router Redundancy Protocol (VRRPv2) daemon with
Virtual Host Support Extension V2.0.
Usage:
vrrp start|stop|dump |
...
...
vrrp IFNAME:VRID [start|stop|clean|flush] |
...
vrrp IFNAME:VRID [add]|delete IPADDRESS[/(MASK|MASKLEN)] |
...
vrrp IFNAME:VRID [-priority=[PRIO|own]] [-interval=AINT] |
...
[-(password|key)=[PASSWORD]] |
...
[-preempt=(on|off)] [-owner=[on|off]] [-learn=(on|off)] |
...
[-track=(off|default|IPADDRESS/MASKLEN)] |
...
...
Parameters
Command description
Server start/stop
Syntax:
...
| Center |
|---|
| Parameter | Description |
|---|
| start | stop |
|
...
The command starts / stops VRRP-server.
Example,
Creating Virtual Router (VR)
Syntax:
vrrp IFNAME:VRID add IPADDRESS[/{MASK|MASKLEN}] …
...
| Starts/stops VRRP server. | dump (IFNAME:VRID) | Displays a VRRP server current state. If the "IFNAME:VRID" is specified displays the information for chosen VR, overwise for all routers. A VRRP server state is displayed in a table consisting of following columns: - "VRRP interface:ID" – VR in a "IFNAME:VRID" form.
- "Prio" – priority of the router in a specified VR. If "owner" mode is enabled, a letter "o" is also shown.
- "AInterval" – keep-alive messaging interval.
- "Master IP" – "primary" IP address of MASTER router.
- "STATE" – router’s current state. If specified router has self-learning mode enabled, the "l" letter is displayed before the state name, for example, "lBACKUP". Following values are available:
- "MASTER";
- "BACKUP";
- "STOP".
- "Time" – time period during which the route is in "STATE" mode. The period is represented in DAYS/HOURS:MINUTES:SECONDS:000 form.
- "Stop reason" – the router stops operating in VR in cases specified below - for a VR router it changes its state to "STOP". This column displays the reason. Possible cases are:
- "Configuration conflict" – different VR’s with the same interface have the crossovering IP addresses lists.
- "IP Address list is empty" – no IP addresses are specified.
- "Interface has no primary IP address" – interface does not have primary IP address or it has been deleted.
- "Interface is down" – the interface assigned to VR is in the down state
| | IFNAME:VRID | The argument determines VR on the network interface to which the parameter should be applied. Consists of the following elements: - "IFNAME" – an interface on which the VR should be created.
- "VRID" – VR identifier in range 1...255.
| [add]| IPADDRESS[/(MASK|MASKLEN) | Creates Virtual Router. - "IPADDRESS[/(MASK|MASKLEN)" – The IP addresses to be added to the VR IP address list. None of VR IP address should coincide with the primary IP address of interface it has been created on.
|
|
...
- VRRP server allows creating
|
|
...
- several VRs for one network interface, but their IP addresses lists
|
|
...
Example,
| Code Block |
|---|
|
vrrp eth0:10 add 9.8.7.6/24 |
VR start/stop
Syntax:
vrrp IFNAME:VRID {start|stop}
...
| delete IPADDRESS | Deletes an address from VR IP address list. | | start|stop | Starts/stops this router in a |
|
...
Example,
| Code Block |
|---|
|
vrrp eth0:10 start |
Setting router priority
Syntax:
...
| clean | Deletes specified IP address from VR list. | | flush | Deletes all IP addresses from VR list. | -priority=[PRIO|own] |
|
...
Sets the specified router |
|
...
priority in VR. - "PRIO" – priority value varies in 2…255 range. Router priority is considered in the
|
|
...
- main router selecting procedure.
|
|
...
...
- greatest priority becomes the main
|
|
...
...
...
- means this router will be the main within
|
|
...
- specified VR. The main router with such a priority owns all
|
|
...
Example,
| Code Block |
|---|
|
vrrp eth0:10 –priority=200 |
Owner mode
Syntax:
vrrp IFNAME:VRID -owner=on|off
- of VR’s IP addresses.
- "own" – is equivalent to priority 255.
| -owner=[on|off] | Enables/disables an "owner" mode. In owner mode the router owns all |
|
...
...
addresses regardless its priority. I.e. even if this |
|
...
router is a slave at the moment, |
|
...
VR’s IP addresses are in the lists of network interface |
|
...
on which VR is created. At the same time these addresses stay in a |
|
...
"passive" mode. I.e. the router will not reply on these addresses until it takes |
|
...
...
"Owner" mode is enabled by default. |
|
Example,
| Code Block |
|---|
|
vrrp eth0:10 –owner=off |
Inheritance mode
Syntax:
...
-preempt=(on|off) | Enables/disables an inheritance mode. If inheritance mode is disabled, the router (regardless its priority) would never take the functions of the main router while there are other operating routers |
|
...
...
| Inheritance mode is enabled by default. |
|
Example,
| Code Block |
|---|
|
vrrp eth0:10 –preempt=off |
Network Prefix Monitoring mode
Syntax:
...
...
If "Network Prefix Monitoring" mode is enabled the VRRP module checks the availability of a route to the specified IP network (IPADDRESS/MASKLEN), or the default route (default). If the routing entries disappear from the system tables the device enters the BACKUP mode.
To disable the "Network Prefix Monitoring" mode use the “off” option.
Example,
| Code Block |
|---|
|
vrrp eth0:10 –track=default |
...
...
Syntax:
...
...
| Allows set the required keep-alive messaging interval for the main route. Parameter’s value is set in seconds. |
|
...
| Default parameter value is 1 second. |
|
...
...
| , keep in mind it has to be equal for all routers of |
|
...
...
| Code Block |
|---|
|
vrrp eth0:10 –interval=2 |
Self-learning mode
Syntax:
...
...
| Allows router to collect the list |
|
...
| of VR’s IP addresses while it acts as a BACKUP router. This mode is used to |
|
...
| simplify VRRP server configuration. |
|
...
...
...
| of VR’s IP addresses only for one router – the owner of |
|
...
...
| addresses (with the priority of 255). For |
|
...
| other routers it is enough to |
|
...
| create VR with an empty IP addresses list and set up a self-learning mode. |
|
Example,
| Code Block |
|---|
|
vrrp eth0:10 –learn=on |
VR deleting
Syntax:
vrrp IFNAME:VRID clean
Command deletes specified VR.
Example,
| Code Block |
|---|
|
vrrp eth0:10 clean |
IP-address removing from VR list
Syntax:
vrrp IFNAME:VRID delete IPADDRESS
Command deletes specified IP-address from VR-list.
Deleting VR IP-addresses list
Syntax:
vrrp IFNAME:VRID flush
Command deletes all IP-addresses from VR-list.
Example,
| Code Block |
|---|
|
vrrp eth0:10 flush |
VRRP authorization
...
-track=(off|default|IPADDRESS/MASKLEN) | If "Network Prefix Monitoring" mode is enabled the VRRP module checks the availability of a route to the specified network, or the default route. If the routing entries disappear from the system tables the device enters the "BACKUP" mode. | -(password|key)=[PASSWORD] | Sets authorization for additional VR security. The VRRP server supports two authorization modes: |
|
...
Enabling these authorization schemes can be done using the following commands:
| Code Block |
|---|
|
vrrp IFNAME:VRID –password=PASSWORD
vrrp IFNAME:VRID –key=PASSWORD |
Experience shows that neither of two VRRP authorization methods can provide absolute VR security. This fact was described in the later RFC 3768 version:
Security Considerations
VRRP does not currently include any type of authentication. Earlier versions of the VRRP specification included several types of authentication ranging from none to strong. Operational experience and further analysis determined that these did not provide any real measure of security. Due to the nature of the VRRP protocol, even if VRRP messages are encoded, it does not prevent hostile routers from behaving as if they are a VRRP master, creating multiple masters. Authentication of VRRP messages could have prevented a hostile router from causing all properly functioning routers from going into backup state. However, having multiple masters can cause as much disruption as no routers, which authentication cannot prevent. Also, even if a hostile router could not disrupt VRRP, it can disrupt ARP and create the same effect as having all routers go into backup.
VRRP server state output
Syntax:
vrrp dump
Command displays VRRP-server current state.
Example,
| Code Block |
|---|
|
vrrp dump
- "password=[PASSWORD]" – simple text password.
|
|
...
- "key=[PASSWORD]" – uses IP Authentication Header scheme, is more reliable, provides protection from errors. For more information see RFC 2338.
|
|
Examples
Use the "dump" parameter to display a VRRP server current state. | Code Block |
|---|
| vrrp dump
VRRP interface:ID Prio AInterval Master IP STATE Time Stop reason
================== ==== ========= =============== ======= =============== ===========
eth0:010 200o 001 192.168.15.50 BACKUP 0/0:0:3:000 |
|
VRRP-server state is printed in a table consisting of following columns:
- "VRRP interface: ID" –displays VR in IFNAME:VRID form
- "Prio" – displays the priority of the router in a specified VR. If “owner” mode is enabled, a letter “o” is also printed.
- "AInterval" – displays set keep-alive messaging interval.
- "Master IP" – displays primary IP-address of MASTER router
- "STATE" – displays router’s current state:
If specified router has self-learning mode enabled small l is printer before the state name, for example, "lBACKUP"
...
Create VR with "10" VRID on the "eth0" interface and add the "9.8.7.6/24" IP address in VR address list. | Code Block |
|---|
| vrrp eth0:10 add 9.8.7.6/24 |
|
Set 250 priority for VR "eth0:10". | Code Block |
|---|
| vrrp eth0:10 –priority=250 |
|