Infinet Wireless: Technical Documentation
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

General Description

 At the present time most of the large LANs are built with a router in the center. In such LANs virtual networks with routing are usually organized, redundant connections between devices are provided and additional central router is installed. While this kind of structure might seem to be reliable, it is the central router that seems to be the vulnerability of the system. In the case of central router’s malfunctioning, there might be a few scenarios, each of which would require a system administrator to interfere: workstations configuration in order they could work with other router as a gateway, changing the configuration of a redundant unit, additional router installation etc.

VRRP server is able to keep the network alive in case any of the described situations occurs In fact, the server provides with giving the “responsibilities” from one device to another if the first one fails. When VRRP server is used additional router automatically comes onto operation.

Each redundant router should be a part of virtual router (VR). For VR there is a list of its VR IP-addresses. At the time one of routers becomes a primary one it starts to serve each of this list IP-addresses (i.e. to reply on ARP-requests and takes the host functions with these IP-addresses).

VR is referred to by its identifier – the number in 1…255 range (VRID).

Hence, the logic of VRRP-server operations is the following:

  1. Several VRRP routers form VR. Each of them has identical VRID and identical list of IP-addresses;
  2. The main router should be selected from the list of VRRP-routers (MASTER mode). Other ones get the status of slave routers (BACKUP mode). The main router periodically sends special packets (sweeping). By receiving these packets, BACKUP routers make a decision about MASTER’s availability.
  3. In the case of the main router failure (there are no keep-alive-messages from MASTER for a long time) one of the slave routers becomes the main router and starts to process packets addressed to VR.

The main virtual router selecting is implemented automatically: this status gets the router with the highest priority or (in the case their equality) – with the biggest network interface IP-address.

Full syntax:

vrrp start|stop|dump

vrrp dump IFNAME:VRID

vrrp IFNAME:VRID [start|stop|clean|flush]

vrrp IFNAME:VRID [add]|delete IPADDRESS[/(MASK|MASKLEN)] …

vrrp IFNAME:VRID [-priority=[PRIO|own]] [-interval=AINT]

                                               [-(password|key)=[PASSWORD]]

                                               [-preempt=(on|off)] [-owner=[on|off]] [-learn=(on|off)]

                                               [-track=(off|default|IPADDRESS/MASKLEN)]                 

 

Command description

Server start/stop

Syntax:

vrrp {start | stop}

The command starts / stops VRRP-server.

Example,

vrrp start

Creating Virtual Router (VR)

Syntax:

vrrp IFNAME:VRID add IPADDRESS[/{MASK|MASKLEN}] …

The command creates virtual router on IFNAME interface with VRID identifier. VRID is a number in 1....255 range. Also, the command adds IP-address specified as a parameter to the list of VR IP-addresses. None of VR IP-address should coincide with the primary IP-address of interface it has been created on. VRRP-server allows creating several VRs for one network interface, but lists of their IP-addresses should not crossover.

Example,

vrrp eth0:10 add 9.8.7.6/24

VR start/stop

Syntax:

vrrp IFNAME:VRID {start|stop}

Command starts/stops this router in a specified VR.

Example,

vrrp  eth0:10 start

Setting router priority

Syntax:

vrrp IFNAME:VRID -priority=[PRIO|own]

The command sets the priority of the specified router in VR. Priority value varies in 2…255 range. Router priority is considered in the procedure of selecting a main router selecting. At that the router with the greatest priority becomes the main one.

Priority of 255 has a special meaning. It shows this router will be the main within specified VR. The main router with such a priority owns all of VR’s IP-addresses.

Example,

vrrp eth0:10 –priority=200

Owner mode

Syntax:

vrrp IFNAME:VRID -owner=on|off

In owner mode the router owns all of VR’s IP-addresses regardless its priority. I.e. even if this route is a slave at the moment, VR’s IP-addresses are in the lists of network interface IP-addresses on which VR is created. At the same time these addresses stay in a “passive” mode. I.e. the router will not reply on these addresses until it takes the functions of the main router.

“Owner” mode is enabled by default.

Example,

vrrp eth0:10 –owner=off

Inheritance mode

Syntax:

vrrp IFNAME:VRID –preempt=on|off

If inheritance mode is disabled the router (regardless its priority) would never take the functions of the main router while there are other operating routers in VR.

Inheritance mode is enabled by default.

Example,

vrrp eth0:10 –preempt=off

Network Prefix Monitoring mode

Syntax:

vrrp IFNAME:VRID -track=(off|default|IPADDRESS/MASKLEN)

If "Network Prefix Monitoring" mode is enabled the VRRP module checks the availability of a route to the specified IP network (IPADDRESS/MASKLEN), or the default route (default). If the routing entries disappear from the system tables the device enters the BACKUP mode.

To disable the "Network Prefix Monitoring" mode use the “off” option.

Example,

vrrp eth0:10 –track=default

Keep-alive messaging interval setting

Syntax:

vrrp IFNAME:VRID -interval=AINT

This command allows set the required keep-alive messaging interval for the main route. Parameter’s value is set in seconds.

The router acting as MASTER periodically sends service packets to other VR routers. On receiving these messages BACKUP routers get the information about MASTER’s availability. Default value of the parameter is 1 second.

If you set another value of this parameter you should keep in mind it has to be equal for all routers of specified VR.

Example,

vrrp eth0:10 –interval=2

Self-learning mode

Syntax:

vrrp IFNAME:VRID –learn=on|off

The mode allows a router to collect the list of VR’s IP-addresses while it acts as a BACKUP router. This mode is used to simplify VRRP server configuration. You can simply make a list of VR’s IP-addresses only for one router – the owner of  IP-addresses (with the priority of 255). For the rest routers it is enough to create VR with an empty IP-addresses list and set up a self-learning mode.

Example,

vrrp eth0:10 –learn=on

VR deleting

Syntax:

vrrp IFNAME:VRID clean

Command deletes specified VR.

Example,

vrrp eth0:10 clean

IP-address removing from VR list

Syntax:

vrrp IFNAME:VRID delete IPADDRESS

Command deletes specified IP-address from VR-list.

Deleting VR IP-addresses list

Syntax:

vrrp IFNAME:VRID flush

Command deletes all IP-addresses from VR-list.

Example,

vrrp eth0:10 flush

VRRP authorization

According to RFC 2338 VRRP server supports two authorization modes:

  • Simple text password
  • IP Authentication Header

Enabling these authorization schemes can be done using the following commands:

vrrp IFNAME:VRID –password=PASSWORD
vrrp IFNAME:VRID –key=PASSWORD

Experience shows that neither of two VRRP authorization methods can provide absolute VR security. This fact was described in the later RFC 3768 version:

Security Considerations

VRRP does not currently include any type of authentication.  Earlier versions of the VRRP specification included several types of authentication ranging from none to strong.  Operational experience and further analysis determined that these did not provide any real measure of security. Due to the nature of the VRRP protocol, even if VRRP messages are encoded, it does not prevent hostile routers from behaving as if they are a VRRP master, creating multiple masters. Authentication of VRRP messages could have prevented a hostile router from causing all properly functioning routers from going into backup state.  However, having multiple masters can cause as much disruption as no routers, which authentication cannot prevent.  Also, even if a hostile router could not disrupt VRRP, it can disrupt ARP and create the same effect as having all routers go into backup.

VRRP server state output

Syntax:

vrrp dump

Command displays VRRP-server current state.

Example,

vrrp dump
 
VRRP interface:ID  Prio AInterval    Master IP     STATE       Time        Stop reason
================== ==== ========= =============== ======= ===============  ===
          eth0:010 200o    001    192.168.15.50   BACKUP      0/0:0:3:000

VRRP-server state is printed in a table consisting of following columns:

  • "VRRP interface: ID" –displays VR in IFNAME:VRID form
  • "Prio" – displays the priority of the router in a specified VR. If “owner” mode is enabled, a letter “o” is also printed.
  • "AInterval" – displays set keep-alive messaging interval.
  • "Master IP" – displays primary IP-address of MASTER router
  • "STATE" – displays router’s current state:
    • MASTER
    • BACKUP
    • STOP.

If specified router has self-learning mode enabled small l is printer before the state name, for example, "lBACKUP"

  • "Time" – displays time period during which the route is in "STATE" mode. The period is represented in  DAYS/HOURS:MINUTES:SECONDS:000 form
  • "Stop reason" – the router stops operating in specified VR if current situation forces it to do so - for a specific VR router it changes its state to "STOP". This column displays the reason of the problem. Possible reasons are:
    • Configuration conflict –  this situation occurs if different VR’s with the same interface have the crossovering IP-addresses lists.
    • IP Address list is empty – no IP-addresses are specified.
    • Interface has no primary IP address – interface does not have primary IP-address or it has been deleted.
    • Interface is down –interface that VR is built on is in the down state.
  • No labels