Manual:Interface/VRRP: Difference between revisions
No edit summary |
No edit summary |
||
Line 76: | Line 76: | ||
<h2>Configuring VRRP</h2> | <h2>Configuring VRRP</h2> | ||
<p> | <p> | ||
Setting up Virtual Router is quite easy, only two actions are required - create vrrp interface and set Virtual Routers IP address. | |||
For example, add vrrp to ether1 and set VRs address to 192.168.1.1 | |||
<pre> | <pre> | ||
/interface vrrp add interface=ether1 | /interface vrrp add interface=ether1 | ||
/ip address add address=192.168.1.1/32 interface=vrrp1 | |||
</pre> | </pre> | ||
Notice that only 'interface' parameter was specified when adding vrrp. It is the only parameter required to be set manually, other parameters if not specified will be set to their defaults: <code>vrid=1, priority=100</code> and <code>authentication=none</code>.<br /> | |||
Before VRRP can operate correctly | Note that address on VRRP interface must have /32 netmask. | ||
Before VRRP can operate correctly correct IP address is required on ether1. In this example it is <code>192.168.1.2/24 </code> | |||
</p> | </p> | ||
<h2>Property reference</h2> | <h2>Property reference</h2> | ||
<h3>/interface vrrp</h3> | <h3>/interface vrrp</h3> |
Revision as of 07:35, 3 October 2008
Summary
Sub-menu level: /interface vrrp
This chapter describes the Virtual Router Redundancy Protocol (VRRP) support in RouterOS.
Mostly on larger LANs dynamic routing protocols ((OSPF or RIP)) are used, however there are number of factors that may make undesirable to use dynamic routing protocols. One alternitive is to use static routing, but if statically configured first hop fails, then host will not be able to communicate with other hosts.
Virtual Router Redundancy Protocol (VRRP) provides a solution by combining number of routers into logical group called Virtual Router (VR). VRRP implementation in RouterOS is compliant to RFC2338 and any modern routers support this protocol.
Virtual Router Redundancy Protocol
The purpose of the VRRP packet is to communicate to all VRRP routers associated with the Virtual Router ID.
Over Ethernet, VRRP routers use a common MAC address of the format 00:00:5E: 00:01:XX. The last octet is the VRID identifier converted to hex. For example, Virtual routers VRID is 49, then Virtual rotuers mac address will be 00:00:5E:00:01:31
VRRP packets are encapsulated in IP packets and are sent to the IPv4 multicast address. IP multicast address assigned by the IANA for VRRP is 224.0.0.18 and VRRP protocol number is /112
Router will drop any VRRP packet if TTL is not 255.
VRRP state machine
Diagram below shows VRRP state transition flow
As you can see fro diagram, each VRRP node can be in one of three states:
- Init state
- Backup state
- Master state
Init state
The purpose of this state is to wait for a Startup event. When this event is received, then following actions are taken:
- if priority is 255, then send advertisement packet, broadcast ARP requests and transit to MASTER state;
- else transit to BACKUP state.
Backup state
When in backup state, node is not responding to ARP requests and is not forwarding traffic for the IP associated with the VR.
Routers main task is to receive advertisement packets and check if master node is available.
Backup router will send out advertisement packets, broadcast ARP requests and transit itself to master state in two cases:
- If priority in advertisement packet is 0;
- When Preemption_Mode is set to no, or Priority in the ADVERTISEMENT is greater than or equal to the local Priority
In other cases advertisement packets will be discarded.
When shutdown event is received, transit to Init state.
Master state
When MASTER state is set, VRRP node is respond to ARP requests and forwarding traffic for the IP addresses associated with the VR.
Master router is sending advertisement packets within interval defined in VRRP configuration.
If advertisement packet is received by master node:
- If priority is 0, send advertisement immediately;
- If priority in advertisement packet is greater than nodes priority then transit to backup state
- If priority in advertisement packet is equal to nodes priority and primary IP Address of the sender is greater than the local primary IP Address, then transit to backup state
- Ignore advertisement in other cases
When shutdown event is received, send advertisement packet with priority=0 and transit to Init state.
Configuring VRRP
Setting up Virtual Router is quite easy, only two actions are required - create vrrp interface and set Virtual Routers IP address. For example, add vrrp to ether1 and set VRs address to 192.168.1.1
/interface vrrp add interface=ether1 /ip address add address=192.168.1.1/32 interface=vrrp1
Notice that only 'interface' parameter was specified when adding vrrp. It is the only parameter required to be set manually, other parameters if not specified will be set to their defaults: vrid=1, priority=100
and authentication=none
.
Note that address on VRRP interface must have /32 netmask.
Before VRRP can operate correctly correct IP address is required on ether1. In this example it is 192.168.1.2/24
Property reference
/interface vrrp
interface (string; Default: ) - interface name on which VRRP instance will be running run.
vrid (integer: 1..255; Default: 1) - Virtual Router identifier. Each Virtual router must have unique id number.
priority (integer: 1..254; Default: 100) - priority of VRRP node used in Master election algorithm. Higher number i higher priority. '255' is reserved to Router that owns VR IP and '0' is reserved for Master router to indicate that it is releasing responsibility.
interval (string; Default: 1) - VRRP update interval in seconds. Defines how often master sends advertisement packets.
preemption-mode (yes,no; Default: yes) - whether master node always has the priority. When set to 'no' backup node will not be elected to be a master until the current master fail even if the backup node has higher priority than the current master.
authentication (ah,none,simple; Default: none) - authentication method to use for VRRP advertisement packets.
Type | Description |
---|---|
none | should be used only in low security networks (e.g., two VRRP nodes on LAN). |
ah | IP Authentication Header. This algorithm provides strong protection against configuration errors, replay attacks, and and packet corruption/modification. Recommended when there is limited control over the administration of nodes on a LAN. |
simple | uses clear text password. Protects against accidental misconfiguration of routers on local network. |
password (string; Default: ) - password required for authentication. Can be ignored if authentication is not used.
name (string; Default: "vrrp[num]") - VRRP interface name.
on-backup (string; Default: ) - script to execute when the node switch to backup state.
on-master (string; Default: ) - script to execute when the node switch to master state.
There are two ways to add scripts to on-backup and on-master:
- specify scripts name added to script repository
- write script directly by putting it in scopes '{ }'.