Manual:Interface/VRRP: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 46: Line 46:
<h4>Multiple Virtual IPs</h4>
<h4>Multiple Virtual IPs</h4>
<p>
<p>
If the Owner of VR is associated with multiple IP addresses, then Backup routers belonging to the same VR must also be associated with the same set of virtual IP addresses. If virtual address on the Owner is not also on Backup a misconfiguration exists and VRRP advertisement packets will be discarded.
If the Master of VR is associated with multiple IP addresses, then Backup routers belonging to the same VR must also be associated with the same set of virtual IP addresses. If virtual address on the Master is not also on Backup a misconfiguration exists and VRRP advertisement packets will be discarded.
</p>
</p>



Revision as of 08:38, 7 October 2008

Summary

Sub-menu level: /interface vrrp


This chapter describes the Virtual Router Redundancy Protocol (VRRP) support in RouterOS.
Mostly on larger LANs dynamic routing protocols ((OSPF or RIP)) are used, however there are number of factors that may make undesirable to use dynamic routing protocols. One alternative is to use static routing, but if statically configured first hop fails, then host will not be able to communicate with other hosts.
Virtual Router Redundancy Protocol (VRRP) provides a solution by combining number of routers into logical group called Virtual Router (VR). VRRP implementation in RouterOS is compliant to RFC2338 and any modern routers support this protocol.

Virtual Router Redundancy Protocol

Simple VRRP example

The purpose of the VRRP is to communicate to all VRRP routers associated with the Virtual Router ID and support router redundancy through a prioritized election process among them.
Each VRs node have configured virtual IP address and virtual MAC address. On one of nodes virtual IP is the same as real IP, this node is called Owner. By default owner has the highest priority (255), other routers has lower priorities and are configured to operate as Backup in case the Owner router is unreachable.
Normally Owner operates as a Master router of VR. When Owner becomes unavailable, election process occur and Backup router becomes current Master.
All VRRP routers belonging to the same VR must be configured with the same advertisement interval. If interval does not match router will discard received advertisement packet.
VRRP packets are encapsulated in IP packets and are sent to the IPv4 multicast address. IP multicast address assigned by the IANA for VRRP is 224.0.0.18 and VRRP protocol number is /112
Router will drop any VRRP packet if TTL is not 255. That protects against VRRP packets being injected from another remote network. This limits most vulnerabilities to local attacks.

Virtual Router (VR)

A Virtual Router (VR) consists of one Ovner router and one or more backup routers belonging to the same network.
VR includes:

  • VRID configured on each VRRP router
  • the same virtual IP on each router
  • Owner and Backup configured on each router. On a given VR there can be only one Owner.

Virtual MAC address

VRRP automatically assigns MAC address to VRRP interface based on standard MAC prefix for VRRP packets and VRID number. First five octets are 00:00:5E:00:01 and last octet is configured VRID. For example, Virtual Routers VRID is 49, then virtual MAC address will be 00:00:5E:00:01:31.
Virtual mac address can not be manually set or edited.

Virtual IP address

Virtual IP associated with VR must be identical and set on all VR nodes. On Owner router Virtual IP must be the same as real IP. For example on Owner router real IP and virtual IP is 192.168.1.1, on Backup router virtual IP is 192.168.1.1, but real IP is 192.168.1.2. All virtual and real addresses should be from the same network.

Multiple Virtual IPs

If the Master of VR is associated with multiple IP addresses, then Backup routers belonging to the same VR must also be associated with the same set of virtual IP addresses. If virtual address on the Master is not also on Backup a misconfiguration exists and VRRP advertisement packets will be discarded.

ARP

The Master for a given VR responds to ARP requests with the VR's assigned MAC address. Virtual MAC address is also used as the source MAC address for advertisement packets sent by Master. To ARP requests for non-virtual IP addresses router responds with the system MAC address. Backup routers are not responding to ARP requests for Virtual IPs.

Owner

An Owner router for a VR is default Master router and operates as the Owner for all subnets included in the VR. As mentioned before priority on an owner router must be the highest value (255). In example network R1 is an Owner. It's priority is set to 255 and virtual IP is the same as real IP (owns the virtual IP address).

Master

Master router in a VR operates as the physical gateway for the network for which it is configured. Selection of the Master is controlled by priority value. Master state describes behavior of Master router. In example network R1 is the Master router. When R1 is no longer available R2 becomes master.

Backup

VR must contain at least one Backup router. Backup router must be configured with the same virtual IP as Owner for that VR. Default priority for Backup routers is 100. When current master router is no longer available, backup router with highest priority will become current master. Every time when router with higher higher priority becomes available it is switched to master. Sometimes this behavior is not necessary. To override it preemption mode should be disabled. This mode is ignored if Owner router becomes available, it will always become a master router.


VRRP state machine

VRRP state transition flow

As you can see from diagram, each VRRP node can be in one of three states:

  • Init state
  • Backup state
  • Master state


Init state

The purpose of this state is to wait for a Startup event. When this event is received, then following actions are taken:

  • if priority is 255, then send advertisement packet, broadcast ARP requests and transit to MASTER state;
  • else transit to BACKUP state.

Backup state

When in backup state, node is not responding to ARP requests and is not forwarding traffic for the IP associated with the VR.
Routers main task is to receive advertisement packets and check if master node is available.
Backup router will send out advertisement packets, broadcast ARP requests and transit itself to master state in two cases:

  • If priority in advertisement packet is 0;
  • When Preemption_Mode is set to no, or Priority in the ADVERTISEMENT is greater than or equal to the local Priority

In other cases advertisement packets will be discarded.
When shutdown event is received, transit to Init state.
Note: Preemption mode is ignored if Owner router becomes available

Master state

When MASTER state is set, VRRP node is respond to ARP requests and forwarding traffic for the IP addresses associated with the VR.
Master router is sending advertisement packets within interval defined in VRRP configuration.
If advertisement packet is received by master node:

  • If priority is 0, send advertisement immediately;
  • If priority in advertisement packet is greater than nodes priority then transit to backup state
  • If priority in advertisement packet is equal to nodes priority and primary IP Address of the sender is greater than the local primary IP Address, then transit to backup state
  • Ignore advertisement in other cases

When shutdown event is received, send advertisement packet with priority=0 and transit to Init state.

Configuring VRRP

Setting up Virtual Router is quite easy, only two actions are required - create vrrp interface and set Virtual Routers IP address.
For example, add vrrp to ether1 and set VRs address to 192.168.1.1

/interface vrrp add interface=ether1
/ip address add address=192.168.1.1/32 interface=vrrp1

Notice that only 'interface' parameter was specified when adding vrrp. It is the only parameter required to be set manually, other parameters if not specified will be set to their defaults: vrid=1, priority=100 and authentication=none.
Note that address on VRRP interface must have /32 netmask.
Before VRRP can operate correctly correct IP address is required on ether1. In this example it is 192.168.1.2/24
VRRP Examples section contains several configuration examples.

Property reference

/interface vrrp

interface (string; Default: ) - interface name on which VRRP instance will be running run.

vrid (integer: 1..255; Default: 1) - Virtual Router identifier. Each Virtual router must have unique id number.

priority (integer: 1..254; Default: 100) - priority of VRRP node used in Master election algorithm. Higher number i higher priority. '255' is reserved to Router that owns VR IP and '0' is reserved for Master router to indicate that it is releasing responsibility.

interval (string; Default: 1) - VRRP update interval in seconds. Defines how often master sends advertisement packets.

preemption-mode (yes,no; Default: yes) - whether master node always has the priority. When set to 'no' backup node will not be elected to be a master until the current master fail even if the backup node has higher priority than the current master. This setting is ignored if Owner router becomes available

authentication (ah,none,simple; Default: none) - authentication method to use for VRRP advertisement packets.

none should be used only in low security networks (e.g., two VRRP nodes on LAN).
ah IP Authentication Header. This algorithm provides strong protection against configuration errors, replay attacks, and and packet corruption/modification. Recommended when there is limited control over the administration of nodes on a LAN.
simple uses clear text password. Protects against accidental misconfiguration of routers on local network.

password (string; Default: ) - password required for authentication. Can be ignored if authentication is not used.

name (string; Default: "vrrp[num]") - VRRP interface name.

on-backup (string; Default: ) - script to execute when the node switch to backup state.

on-master (string; Default: ) - script to execute when the node switch to master state.

There are two ways to add scripts to on-backup and on-master:

See more