Shulou(Shulou.com)06/01 Report--

An overview of the agreement

In the network based on TCP/IP protocol, routing must be specified in order to ensure the communication between devices that are not physically connected directly. At present, there are two commonly used methods to specify routes: one is dynamic learning through routing protocols (such as internal routing protocols RIP and OSPF), and the other is static configuration. It is not realistic to run dynamic routing protocols on every terminal, and most client operating system platforms do not support dynamic routing protocols, so static routing configuration for terminal IP devices is generally adopted, usually assigning one or more default gateways (Default Gateway) to terminal devices. The static routing method simplifies the complexity of network management and reduces the communication overhead of terminal devices, but it still has a disadvantage: if the router as the default gateway is damaged, all communications using the gateway as the next-hop host are bound to be interrupted. Even if multiple default gateways are configured, you cannot switch to a new gateway without restarting the terminal device. Virtual routing redundancy protocol (Virtual Router Redundancy Protocol, referred to as VRRP) can avoid the defect of statically designated gateway.

In VRRP protocol, there are two groups of important concepts: VRRP router and virtual router, master router and backup router. VRRP router refers to the router running VRRP, is a physical entity, and virtual router refers to the creation of VRRP protocol, which is a logical concept. A group of VRRP routers work together to form a virtual router. The virtual router is represented as a logical router with a unique fixed IP address and a MAC address. The routers in the same VRRP group have two mutually exclusive roles: master router and backup router, and only one router in a VRRP group is in the master role. There can be one or more routers in the backup role. VRRP uses the selection strategy to select one from the router group as the master, responsible for ARP corresponding and forwarding IP packets, and other routers in the group are on standby as backup roles. When the master router fails for some reason, the backup router can be upgraded to the primary router with a delay of several seconds. Because the switch is very fast and does not need to change the IP address and MAC address, it is transparent to the end-user system.

Second working principle

A VRRP router has a unique identity: VRID, which ranges from 0 to 255.

There is only one kind of VRRP control message: VRRP Notification (advertisement), which is encapsulated by IP multicast packets with a group address of 224.0.0.18. The distribution scope is limited to the same local area network. This ensures that VRID can be reused in different networks. In order to reduce the network bandwidth consumption, only the host router can send VRRP advertisement messages periodically. The backup router starts a new round of VRRP election after receiving no VRRP or a priority of 0 advertisement in three consecutive advertisement intervals.

In the VRRP router group, the master router is elected according to the priority, and the priority range in the VRRP protocol is 0-255.

If the IP address of the VRRP router is the same as the interface IP address of the virtual router, the virtual router is said to be the IP address owner in the VRRP group, and the IP address owner automatically has the highest priority: 255. the IP address owner automatically has the highest priority. Priority 0 is generally used when the IP address owner actively relinquishes the role of master. The configurable priority range is 1-254. For candidate routers with the same priority, are elected according to the order of IP address size?

VRRP also provides a priority preemption strategy. If this policy is configured, the high-priority backup router will deprive the current low-priority master router and become the new master router.

In order to ensure the security of VRRP protocol, two security authentication measures are provided: plaintext authentication and IP header authentication. Plaintext authentication requires that when joining a VRRP router group, the same VRID and plaintext password must be provided at the same time. It is suitable to avoid configuration errors in the local area network, but it can not prevent obtaining passwords through network monitoring. IP header authentication provides higher security and can prevent message playback and modification.

Vrrp configuration of three vyos

The experimental environment is virtualized. The eth0 of vyos-01 and 02 are under the same vlan 280and the eth2 is under the same vlan100.

Virtual machine name

Port interface ipvridvirtual ip

Prioritypreemptvyos-01eth010.10.10.1/3010

192.168.28.135

150truevyos-02eth010.10.10.2/30100

Vyos-01eth2192.168.100.3/24100

192.168.100.1

150truevyos-02eth2192.168.100.2/24100

As shown in the above table, configure two groups of vrrp, one set of vrid is 10, the other group is 100. The two groups are configured as the same synchronous group, and when one group of vrrp fails over, the other group randomly switches over.

The configuration of vyos-01 is as follows:

Set interfaces ethernet eth0 address' 10.10.10.1Compact 30'-- configure the eth0 interface address

Set interfaces ethernet eth0 vrrp vrrp-group 10 advertise-interval'1'-configure vrrp hello message interval (default, can not be configured)

Set interfaces ethernet eth0 vrrp vrrp-group 10 preempt 'true'-configure vrrp preemption mode on

Set interfaces ethernet eth0 vrrp vrrp-group 10 priority '150mm-configure the priority of the vrrp

Set interfaces ethernet eth0 vrrp vrrp-group 10 sync-group 'asdf'-configure the synchronization group for vrrp

Set interfaces ethernet eth0 vrrp vrrp-group 10 virtual-address' 192.168.28.135Universe 24'-- vip address configured with vrrp

Set interfaces ethernet eth2 address' 192.168.100.3 Universe 24'

Set interfaces ethernet eth2 vrrp vrrp-group 100 priority '150'

Set interfaces ethernet eth2 vrrp vrrp-group 100sync-group 'asdf'

Set interfaces ethernet eth2 vrrp vrrp-group 100 virtual-address' 192.168.100.1 Universe 24'

The configuration of vyos-02 is as follows:

Set interfaces ethernet eth0 address' 10.10.10.2 Compact 30'-- configure the eth0 interface address

Set interfaces ethernet eth0 vrrp vrrp-group 10 advertise-interval'1'-configure the interval between vrrp hello messages

Set interfaces ethernet eth0 vrrp vrrp-group 10 preempt 'true'-configure vrrp preemption mode on

Set interfaces ethernet eth0 vrrp vrrp-group 10 priority '100ml-configure the priority of the vrrp

Set interfaces ethernet eth0 vrrp vrrp-group 10 sync-group 'asdf'-configure the synchronization group for vrrp

Set interfaces ethernet eth0 vrrp vrrp-group 10 virtual-address' 192.168.28.135Universe 24'-- vip address configured with vrrp

Set interfaces ethernet eth2 address' 192.168.100.2Mather 24'

Set interfaces ethernet eth2 vrrp vrrp-group 100 priority '100'

Set interfaces ethernet eth2 vrrp vrrp-group 100sync-group 'asdf'

Set interfaces ethernet eth2 vrrp vrrp-group 100 virtual-address' 192.168.100.1 Universe 24'

Commit and save after configuration.

Then check the vrrp status on both sides, as follows

Vyos@vyos-01:~$ show vrrp

RFC Addr Last Sync

Interface Group State Compliant Owner Transition Group

Eth0 10 MASTER no no 22m52s asdf

Eth2 100 MASTER no no 22m52s asdf

In the process of handover, three packets will be lost, which reflects that the hello message of vrrp starts the handover of vrrp after it is not received for three consecutive cycles.

Disconnect the eth0 port of vyos-01, and then check the vrrp status as shown in

You can see from the figure that after the vyos-01 port down, both vrrp groups on vyos-01 become fault, while those on vyos-02 switch to master state. The synchronous switch was carried out successfully.

After the eth0 of vyos-01 is restored, the vrrp status is as follows:

Vyos-01 resumes master, and preemption mode is set successfully.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.