This chapter describes the Virtual Router Redundancy Protocol (VRRP) support in RouterOS.
Mostly on larger LANs dynamic routing protocols ((OSPF or RIP)) are used, however there are number of factors that may make undesirable to use dynamic routing protocols. One alternitive is to use static routing, but if statically configured first hop fails, then host will not be able to communicate with other hosts.
Virtual Router Redundancy Protocol (VRRP) provides a solution by combining number of routers into logical group called Virtual Router (VR). VRRP implementation in RouterOS is compliant to RFC2338. Many modern routers support this protocol.
Virtual Router Redundancy Protocol
The purpose of the VRRP packet is to communicate to all VRRP routers associated with the Virtual Router ID.
VRRP packets are encapsulated in IP packets and are sent to the IPv4 multicast address. IP multicast address assigned by the IANA for VRRP is 184.108.40.206 and VRRP protocol number is /112
Router will drop any VRRP packet if TTL is not 255.
VRRP state machine
Each VRRP node can be in one of three states:
- Init state
- Backup state
- Master state
Diagram below shows VRRP state transition flow.
Basic requirements before VRRP can operate correctly are:
- added vrrp interface where interface, vrid, authentication and priority parameters are configured properly;
- IP address on master interface;
- /32 IP address on VRRP interface from the same network as on master interface;
To create virtual router on an ethernet interface use the command:
/interface vrrp add interface=ether1
When adding new VRRP interface, you have to specify only master interface, otehr parameters are set to their default values:
vrid=1, priority=100 and
interface (string; Default: ) - interface name on which VRRP instance will be running run.
vrid (integer: 1..255; Default: 1) - Virtual Router identifier. Each Virtual router must have unique id number.
priority (integer: 1..254; Default: 100) - priority of VRRP node used in Master election algorithm. Higher number i higher priority. '255' is reserved to Router that owns VR IP and '0' is reserved for Master router to indicate that it is releasing responsibility.
interval (string; Default: 1) - VRRP update interval in seconds. Defines how often master sends advertisement packets.
preemption-mode (yes,no; Default: yes) - whether master node always has the priority. When set to 'no' backup node will not be elected to be a master until the current master fail even if the backup node has higher priority than the current master.
authentication (ah,none,simple; Default: none) - authentication method to use for VRRP advertisement packets.
|none||should be used only in low security networks (e.g., two VRRP nodes on LAN).|
|ah||IP Authentication Header. This algorithm provides strong protection against configuration errors, replay attacks, and and packet corruption/modification. Recommended when there is limited control over the administration of nodes on a LAN.|
|simple||uses clear text password. Protects against accidental misconfiguration of routers on local network.|
password (string; Default: ) - password required for authentication. Can be ignored if authentication is not used.
name (string; Default: "vrrp[num]") - VRRP interface name.
on-backup (string; Default: ) - script to execute when the node switch to backup state.
on-master (string; Default: ) - script to execute when the node switch to master state.
There are two ways to add scripts to on-backup and on-master: