Shulou(Shulou.com)06/01 Report--

Construction of small and medium-sized networks-detailed explanation of vrrp protocol

What is VRRP?

Virtual routing redundancy Protocol (Virtual Router Redundancy Protocol, referred to as VRRP) is a routing protocol proposed by IETF to solve the single point of failure of static gateways in LAN. In 1998, a formal RFC2338 protocol standard was introduced. VRRP is widely used in edge networks, and its design goal is to support the failure of IP data traffic under certain circumstances without confusion, to allow hosts to use a single router, and to maintain connectivity between routers even if the actual first hop router fails.

Advantages

VRRP has the following advantages:

L simplify network management. In a local area network (such as Ethernet) with multicast or broadcast capability, VRRP can still provide a highly reliable default link when a device fails, effectively avoiding the problem of network interruption after a single link failure, without modifying the configuration information such as dynamic routing protocol, route discovery protocol, or the default gateway configuration of the host.

L has strong adaptability. The VRRP message is encapsulated in the IP message and supports various upper layer protocols.

L the network overhead is small. VRRP defines only one kind of message-VRRP advertisement message, and only routers in Master state can send VRRP message.

Brief introduction of Virtual Router

VRRP divides a group of routers in the local area network into a VRRP backup group, which is functionally equivalent to a virtual router and is identified by a virtual router number. The following is described using a virtual router instead of an VRRP backup group.

A virtual router has its own virtual IP address and virtual MAC address, and its external representation is exactly the same as that of the actual physical router. The host in the LAN sets the IP address of the virtual router as the default gateway and communicates with the external network through the virtual router.

VRRP working process

The working process of VRRP is:

(1) the router in the virtual router selects the Master according to the priority. By sending free ARP messages, the Master router notifies its virtual MAC address to the device or host connected to it, thus undertaking the task of message forwarding.

(2) Master routers periodically send VRRP messages to announce their configuration information (priority, etc.) and working status.

(3) if the Master router fails, the Backup router in the virtual router will re-elect the new Master according to the priority.

(4) during the state switching of the virtual router, the Master router switches from one device to another, and the new Master router simply sends a free ARP message with the MAC address and virtual IP address information of the virtual router, so that the ARP related information in the host or device connected to it can be updated. Hosts in the network are not aware that the Master router has switched to another device.

(5) when the priority of the Backup router is higher than that of the Master router, the operation mode of the Backup router (preemptive mode and non-preemptive mode) determines whether or not to re-elect the Master.

Thus, in order for the Master router and the Backup router to work together, VRRP needs to implement the following functions:

Authentication mode

VRRP provides three authentication methods:

No authentication: no legal authentication of any VRRP messages and no security guarantee.

Simple character authentication: in a network that may be threatened by security, the authentication method can be set to simple character authentication. The router that sends the VRRP message fills the authentication word into the VRRP message, while the router that receives the VRRP message compares the authentication word in the received VRRP message with the locally configured authentication word. If the authentication word is the same, the received message is considered to be a legitimate VRRP message; otherwise, the received message is considered to be an illegal message.

L MD5 authentication: in a very insecure network, the authentication method can be set to MD5 authentication. The router that sends the VRRP message encrypts the VRRP message using the authentication word and MD5 algorithm, and the encrypted message is stored in the AuthenticationHeader (authentication header). The router that receives the VRRP message will use the authentication word to decrypt the message and check the validity of the message.

Load sharing

Multiple virtual routers can be created on one interface of a router so that the router can act as a Master router in one virtual router and as a Backup router in other virtual routers.

Load sharing means that multiple routers undertake business at the same time, so the load sharing method requires two or more virtual routers. Each virtual router includes a Master router and several Backup routers. The Master routers of each virtual router can be different.

1. Configure the host with ip first

2. Secondly, configure the switch port to join the access link

3. Configure the two routers with the IP address of the 192.168.10.0 network segment

4. Enter the router to configure VRRP protocol

[Huawei-GigabitEthernet0/0/0] VRRP vrid 1 virtual-ip 192.168.10.254

1. Configure the host with IP as well

2. Configure sw1 with VLAN and link type

3. Configure two layer 3 routes with VLAN and link type

4. Configure gateways for two sw2 and sw3VLAN

5. Enter sw2 and sw3 to configure vrrp to establish virtual local area network. Adjust the priority of vrrp

Sw2

[Huawei-Vlanif10] vrrp vrid 10 virtual-ip 192.168.10.254

[Huawei-Vlanif10] vrrp vrid 10 priority 200

[Huawei-Vlanif20] vrrp vrid 20 virtual-ip 192.168.20.254

Sw3

[Huawei-Vlanif20] vrrp vrid 20 virtual-ip 192.168.20.254

[Huawei-Vlanif20] vrrp vrid 20 priority 200

[Huawei-Vlanif10] vrrp vrid 10 virtual-ip 192.168.10.25

On the basis of the above experiment, shutdown0/0/2/ port

[Huawei-Vlanif10] vrrp vrid 10 track interface GigabitEthernet 0/0/2 reduced 150

Monitor whether port tracking of port 0ap0 / 2 is normal.

Configure vrrp authentication [Huawei-Vlanif10] vrrp vrid 10 authentication-mode md5

As you can see in the figure above, when one switch is configured for authentication and the other is not configured, both switches think they are master.

There are two authentication modes: plaintext and ciphertext.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.