Shulou(Shulou.com)06/01 Report--

Introduction of VRRP

VRRP (VirtualRouterRedundancyProtocol, Virtual routing redundancy Protocol) is a fault tolerant protocol. Usually, all hosts in a network set a default route, so that messages sent by the host whose destination address is not in the local network segment will be sent to router RouterA through the default route, thus realizing the communication between the host and the external network. When the router RouterA goes down, all hosts in this network segment with RouterA as the default route for the next hop will lose communication with the outside and cause a single point of failure. VRRP is proposed to solve the above problems. It is designed for local area networks (such as Ethernet) with multicast or broadcast capabilities.

VRRP organizes a group of routers in a local area network (including an Master active router and several Backup backup routers) into a virtual router, which is called a backup group. The virtual router has its own IP address 10.100.10.1 (this IP address can be the same as the interface address of a router in the backup group, which is called the ip owner), and the router in the backup group also has its own IP address (for example, the IP address of Master is 10.100.10.2 and the IP address of backup is 10.100.10.3). The hosts in the LAN only know the IP address 10.100.10.1 of the virtual router, but do not know the IP address 10.100.10.2 of the specific Master router and the IP address 10.100.10.3 of the Backup router. [1] they set their default routing next-hop address to the IP address of the virtual router 10.100.10.1. As a result, hosts in the network communicate with other networks through this virtual router. If the Master router in the backup group goes down, the Backup router will select a new Master router through the election strategy and continue to provide routing services to hosts in the network. Thus, the hosts in the network can communicate with the external network continuously.

working principle

A VRRP router has a unique identity: VRID, in the range of 0-255. the router is represented as a unique virtual MAC address in the format 00-00-5e-00-01-[VRID] the master router is responsible for responding to ARP requests with the MAC address so that, in any case, the switch ensures that the terminal device is given a unique and consistent IP and MAC address, reducing the impact of handover on the terminal device [3]

There is only one type of VRRP control message: VRRP advertisement (advertisement), which is encapsulated using IP multicast packets. The group address is 224.0.0.18, and the distribution scope is limited to the same local area network, which ensures that VRID can be reused in different networks. In order to reduce network bandwidth consumption, only the master router can periodically send VRRP advertisement messages. The backup router initiates a new round of VRRP election after receiving no VRRP or priority 0 advertisements within three consecutive advertisement intervals. [3]

In the VRRP router group, the master router is elected by priority. The priority range in the VRRP protocol is 0-255.If the IP address of the VRRP router is the same as the interface IP address of the virtual router, the virtual router is said to be the IP address owner in the VRRP group. The IP address owner automatically has the highest priority: 255Precedence 0 is generally used when the IP address owner actively abandons the master role using the configurable priority range of 1-254. the configuration principle can be set according to the speed and cost of the link, router performance and reliability, and other management policies. In the election of the master router, the high-priority virtual router wins, so If there is an IP address owner in the VRRP group, it always appears as the role of master routing for candidate routers with the same priority. Electing VRRP according to the order of IP addresses also provides a priority preemption strategy. If this policy is configured, the high-priority backup router will deprive the current low-priority master router and become the new master router [3]

In order to ensure the security of VRRP protocol, two kinds of security authentication measures are provided: plaintext authentication and IP header authentication require that when joining a VRRP router group, the same VRID and plaintext password must be provided at the same time to avoid configuration errors in the LAN, but it can not prevent the password IP header authentication through network monitoring to provide higher security. It can prevent message replay and modification.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.