VRRP

• VRRP Router (VRRP Router) - A physical router that runs the VRRP protocol. It may participate in one or more virtual routers.
• Virtual Router (VR) is an abstract object that VRRP controls. Serves as the "default router" for computers on the network. In fact, a virtual router is a group of router interfaces that are on the same network and share a Virtual Router Identifier (VRID) and a virtual IP address.
• IP Address Owner - A VRRP router that uses the IP address assigned to the virtual router as the real IP address assigned to the interface.
• VRRP advertisement (ADVERTISEMENT) - messages sent by the master router.
• Virtual IP address - This is the IP address assigned to the interface of one of the routers that make up the Virtual Router. The name is also used - the primary IP address (Primary IP Address) . VRRP announcements always use the virtual IP address as the sender address.
• Virtual Router Master or VRRP Master router is a VRRP router that is responsible for sending packets sent to the IP address that is associated with the virtual router and for responding to ARP requests sent to this address. If the owner of the IP address is available, then he always becomes Master.
• Virtual Router Backup or VRRP Backup router is a group of routers that are in standby mode and ready to take on the role of VRRP Master router, as soon as the current VRRP Master router becomes unavailable.
• The virtual MAC address (Virtual MAC) is 0000.5E00.01xx, where xx is the VRRP group number.

VRRP is designed to increase the availability of routers that act as the default gateway.

For a group of routers, their membership in the virtual router is configured. In fact, a virtual router is a group of router interfaces that are on the same network and share a Virtual Router Identifier (VRID) and a virtual IP address .

A VRRP router can reside in multiple virtual routers, each with a unique combination of VRID / IP address. The correspondence between the VRID and the IP address must be the same on all routers on the same network.

At any given time, only one of the physical routers routes traffic, that is, it becomes VRRP Master router , the rest of the routers in the group become VRRP Backup router . If the current VRRP Master router becomes unavailable, then one of the VRRP Backup routers, which has the highest priority, takes on its role. Setting priority allows you to define higher priority paths administratively.

The backup router will not try to take on the role of the master router, unless it has a higher priority than the current master router. VRRP allows you to administratively prohibit the interception of the role of the master router. The only exception to this rule is that the VRRP router will always become Master if it owns the IP address that is assigned to the virtual router.

In each virtual router, only Master sends periodic VRRP announcements to the reserved multicast address 224.0.0.18. At the link layer, the virtual MAC address is used as the MAC address of the sender of the VRRP announcements.

The first example is provided to understand how the protocol works. As a rule, such a scheme is not used in real networks.

Two routers, R1 and R2, are in the same broadcast segment and IP addresses are assigned to the interfaces that look at the local network, respectively 10.0.1.1 and 10.0.1.2. Computers on the network use R1 as the default gateway.

A virtual router must be defined that matches the unique identifier (VRID) of the IP address for which one of the routers is the owner. R1 is the owner of the IP address 10.0.1.1, and R2 is the owner of the IP address 10.0.1.2. For example, a virtual router is defined for which VRID = 1 and the IP address is 10.0.1.1. After enabling VRRP on R1 for VRID = 1, it takes on the role of Master. For him, the priority is set equal to 255, since he is the owner of the IP address of the virtual router. After enabling VRRP on router R2 for VRID = 1, it becomes a backup router. For him, the priority is set to 100, since he does not own the IP address of the virtual router.

With these settings, if R1 is available, all computers transmit traffic through R1. If R1 fails for any reason, then VRRP transfers R2 to the role of Master. After that, R2 is responsible for transmitting traffic that is sent to the IP address of the virtual router.

In the first example, the IP address is not reserved and only R2 is used as the IP address of the interface. The following example shows how to perform reservation and R2 IP addresses.

The second example shows the scheme that was used in the first example, but now the routers use two virtual routers and both routers transmit traffic. Such a scheme is more preferable than the previous one for use in real networks.

Half of the computers use R1 as the default gateway, the other half use R2. The settings of the virtual router with VRID = 1 remain exactly the same as in the first example. A second virtual router with VRID = 2 and IP address 10.0.1.2 is added. For this virtual router, R2 will serve as Master, and R1 will be Backup.

The example uses not only the default redundancy of the router, but also load balancing between the two routers.

Although only two routers were used in both examples, there may be more routers. Then there will be one Master and several Backups, and if the Master router fails, the priority assigned to the Backup routers will determine which one will be the new Master (if the priority is greater, the router becomes Master). If the routers have the same priority values, then their IP addresses are compared - the one with the larger IP address will be Master.

Typically, IP addresses are assigned to computers using DHCP . In the second example, the DHCP server should give half of the computers on the subnet the default IP address of the router is 10.0.1.1, and the other half of the computers with 10.0.1.2. This can be implemented using option 82 DHCP . The idea is to give computers that are connected to different switches different IP addresses of the default gateway.

VRRP packets are transmitted in order to transmit to all VRRP routers information on the status and priority of the Master router, which is associated with the VRID.

VRRP packets are encapsulated in IP packets and sent to the multicast address that is reserved for VRRP.

  0 1 2 3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
    | Version |  Type |  Virtual Rtr ID |  Priority |  Count IP Addrs |
    + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
    |  Auth Type |  Adver Int |  Checksum |
    + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
    |  IP Address (1) |
    + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
    |  .  |
    |  .  |
    |  .  |
    + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
    |  IP Address (n) |
    + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
    |  Authentication Data (1) |
    + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
    |  Authentication Data (2) |
    + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +

Package Fields:

• Version - protocol version. The current version is 2.
• Type - type of VRRP packet:
  • Packets with an unknown packet type must be discarded,
  • The only package type that is defined in the current version of the protocol: 1 - ADVERTISEMENT,
• Virtual Rtr ID (VRID) - identifies the virtual router, the status of which is transmitted information:
  • The range of values ​​is from 1 to 255,
• Priority - indicates the priority of the VRRP router that sends the packet. The higher the field value, the higher the priority:
  • The priority of the router that owns the IP address (or addresses) must be 255,
  • For other routers, the priority value should be in the range from 1 to 254. The default priority is 100,
  • A priority value of 0 has a special purpose - indicates that the current Master has ceased to participate in the work of VRRP. This is used to quickly transfer Backup routers to the Master role, without waiting for the timer to expire,
• Count IP Addrs - The number of IP addresses contained in this VRRP ad.
• Authentication Type - used authentication type:
  • Must be unique to a virtual router,
  • A packet whose authentication type does not match the locally configured authentication type, or which has an unknown authentication type, should be discarded,
  • The authentication types defined are:
    • 0 - No Authentication - authentication is not used. The Authentication Data field contains 0,
    • 1 - Reserved - a reserved value that is used for compatibility with RFC 2338 ,
    • 2 - Reserved - a reserved value, which is used for compatibility with RFC 2338 ,
• Advertisement Interval (Adver Int) - The interval (in seconds) between sending VRRP ads. The default is 1 second;
• Checksum - the checksum of the VRRP packet;
• IP Address (es) - one or more IP addresses that are associated with a virtual router;
• Authentication Data - This field is used for compatibility with RFC 2338 . Must be set to 0 and ignored on receipt.

IP packet fields

Since VRRP packets are encapsulated in IP packets, the values ​​of some fields of the IP packet are described below:

• Sender IP address - the main IP address of the interface from which the packet is sent;
• Recipient IP address - multicast address 224.0.0.18. Since this is an address in the link local scope range, routers do not transmit a packet with this destination address, regardless of the TTL value;
• TTL - set to 255. The VRRP router that received a packet with a different TTL field value should discard the packet;
• Protocol - The VRRP protocol is assigned the number 112.

Virtual Router Settings:

• Virtual Router Identifier (VRID) —configurable value between 1 and 255. There is no default value
• Priority - the priority value that this VRRP router will use in the Master selections for this virtual router:
  • The value 255 is reserved for the router that owns the IP address associated with the virtual router
  • A value of 0 is reserved for the Master Router in order to inform Backup Routers that they have declined responsibility for the virtual router
  • The value range 1-254 is available for Backup routers. The default priority is 100.
• IP Address — One or more IP addresses assigned to a virtual router. No default value
• Advertisement_Interval - the time interval between sending ads. Default 1 second
• Skew Time - the time (in seconds) that is used to reject the Master Down Interval.

  Calculated by the formula: ((256 - Priority) / 256)

• Master Down Interval - the time interval after which the Backup Router becomes the Master Router.

  Calculated by the formula: (3 * Advertisement Interval) + Skew time

• Preempt mode - controls whether the backup router with a higher priority will try to take over the Master role from the current master router with a lower priority.
  • An exception to this rule is that a VRRP router will always become Master if it owns the IP address that is assigned to the virtual router regardless of this flag.
  • Possible values ​​for preempt mode:
    • True (default value) - allow intercepting the role of Master
    • False - prohibit intercepting the role of Master
• Authentication type
• Authentication Data

• Adver Timer - a timer that is triggered to initiate the sending of VRRP ads based on Advertisement Interval
• Master Down Timer - a timer that fires when a VRRP announcement does not arrive during Master Down Interval

Possible states:

• Initialize
• Backup
• Master (primary)

State transition diagram:

Initialize

The purpose of the Initialize state is to wait for a Startup event.

If VRRP is enabled on the router, then:

• If the priority is 255 (the router owns the IP address assigned to the virtual router):
  • Send VRRP Announcement
  • Send a gratuitous ARP request containing the MAC address of the virtual router for each IP address associated with the virtual router
  • Set Adver Timer to Advertisement Interval
  • Go to Master
• otherwise:
  • Set Master Down Timer to Master Down Interval
  • Go to Backup State

Backup

The purpose of the Backup status is to monitor the availability and status of the Master router.

When the VRRP router is in this state, it should do the following:

• Should not respond to ARP requests to the IP address associated with the virtual router
• Must drop packets with the destination MAC address equal to the MAC address of the virtual router
• Should not accept packets sent to the IP address associated with the virtual router
• If VRRP (Shutdown event) is disabled on the router, then:
  • Cancel Master Down Timer
  • Go to Initialize state
• If the Master Down Timer is triggered, then:
  • Send VRRP Announcement
  • Send a gratuitous ARP request containing the MAC address of the virtual router for each IP address associated with the virtual router
  • Set Adver Timer to Advertisement Interval
  • Go to Master
• If a VRRP announcement is received, then:
  • If the priority in the VRRP declaration is set to 0, then:
    • Set Master Down Timer to Skew Time
  • otherwise:
    • If the Preempt value is False or if the priority in the received VRRP declaration is greater than or equal to the local priority, then:
      • Reset Master Down Timer to Master Down Interval
    • otherwise:
      • Discard VRRP Ad

Master

In the Master state, the router is responsible for sending packets sent to the IP address associated with the virtual router.

When the VRRP router is in this state, it should do the following:

• Must respond to ARP requests to the IP address associated with the virtual router
• Must process packets with the destination MAC address equal to the MAC address of the virtual router
• Should not accept packets sent to the IP address associated with the virtual router, if it does not own the IP address
• Must accept packets sent to the IP address associated with the virtual router, if it is the owner of the IP address
• If VRRP (Shutdown event) is disabled on the router, then:
  • Cancel Adver Timer
  • Send VRRP Ad with Priority 0
  • Go to Initialize state
• If Adver Timer is triggered, then
  • Send VRRP Announcement
  • Reset Adver Timer to Advertisement Interval
• If a VRRP announcement is received, then:
  • If the priority in the VRRP declaration is set to 0, then:
    • Send VRRP Announcement
    • Reset Adver Timer to Advertisement Interval
  • otherwise:
    • If the priority in the received VRRP announcement is greater than the local priority, or if the priority in the received VRRP announcement is equal to the local priority and the primary IP address of the sender is greater than the local primary IP address, then:
      • Cancel Adver Timer
      • Set Master Down Timer to Master Down Interval
      • Go to Backup State
    • otherwise:
      • Discard VRRP Ad

• CARP (a free and secure alternative to VRRP)

• http://xgu.ru/wiki/VRRP
• https://web.archive.org/web/20180924233703/http://blog.sbolshakov.ru/6-2-5-ha-vrrp/
• https://www.cisco.com/c/en/us/support/docs/security/vpn-3000-series-concentrators/7210-vrrp.html
• https://tools.ietf.org/html/rfc2338