VRRP stands for Virtual Router Redundancy Protocol. It is used to create a Virtual IP (VIP) address, which can then be used as the default gateway for network clients or as a next hop for a static route. VRRP is one of several First Hop Redundancy Protocols (FHRP) and is similar to Cisco HSRP.
The VIP address can move between VRRP routers, providing redundancy should one router fail.
Deployment Scenarios
There are two common deployment scenarios for VRRP
Providing A Default Gateway
In this scenario, VRRP is used to provide a default gateway for network clients. That could be either workstations in an office environment, or servers in a data center.
It is common to set the VIP as the first address on the subnet, with the second and third addresses taken by the VRRP routers.
The network path between the routers and the clients may either be a single switch or two switches, as shown in the following diagrams.
In this situation, VRRP can protect against the following occurring on VRRP Router 1:
- Complete failure of the device
- Loss of the upstream interface (interface going into the down state)
- Loss of a route table entry (loss of a routing neighbor)
Providing A Next Hop For A Static Route.
The VIP address can also be used as the next hop for a static route. This is common when dynamic routing protocols aren’t being used. This is sometimes seen in front of a firewall cluster, where the firewall has a static default to the VRRP VIP.
In this case, the VRRP routers likely have a static route back towards the firewall cluster.
VRRP Terms
Before we get into the details of how VRRP works, we need to define a few terms.
VRRP Master: The VRRP Router that is responsible for forwarding traffic.
VRRP Backup: One or more VRRP routers that will take over forwarding traffic if the VRRP Master should fail. They will also take over if they have a higher priority and preemption is enabled
VIP: The Virtual IP Address that moves between VRRP routers. Typically set as the default gateway for network clients.
VIP MAC: The MAC address associated with the VIP address. This is based on the VRRP Group number. The MAC address is 00:00:5e:00:01:<Group Number> where the Group number is in hex. The VIP MAC for VRRP group 50 for example is 00:00:5e:00:01:32.
Advertisement Interval: A timer for how frequently a router in the VRRP Master state will send VRRP advertisements.
Dead Time: How long a VRRP backup will go without seeing a VRRP advertisement from the master before taking over the master role. This is calculated based on the advertisement interval and the threshold
Threshold: Contributes to calculating the Dead Time on VRRP Backup routers.
Priority: All VRRP routers have a priority value, during a VRRP election the highest priority wins.
Accept-Data: By default, the VRRP Master will not respond to traffic destined to the VIP address itself, this includes pings. Configuring accept-data allows it to respond to traffic.
Pre-Emption: Enabled by default, pre-emption causes a VRRP router with the highest priority to take the master state. This can occur should the VRRP Master reduce its priority.
Tracking: VRRP routers can track interfaces and routes. This tracking can dynamically reduce the router’s priority value. When combined with pre-emption this allows another VRRP Router to take over the mastership.
Authentication: VRRP can use authentication, it can be set to either none, simple (plain text), or md5.
VRRP Operation
Start Up
When VRRP routers start up, they will issue an IGMP join for the VRRP multicast group.
If they have not already received a VRRP packet they will transition to master state, send a gratuitous ARP for the VIP MAC address, and start sending VRRP advertisements.
If they have received a VRRP packet, they will either ignore it if it has a lower priority or transition to backup if it has a better priority and pre-emption is enabled.
When transitioning to the VRRP master state, the VRRP router will send a gratuitous ARP, and start sending VRRP advertisements.
It is important to note that only a router in the VRRP master state will send advertisements, the backup routers will only listen.
In the following portion of the capture we can see more details about what is advertised.
Deadtime Expiry
The backup VRRP routers keep a deadtime timer. If this expires without receiving a VRRP advertisement from the current master, then the backup router will transition to the master state.
When the backup transitions to master it will start sending VRRP advertisements and send a gratuitous ARP.
Notice the delay between packets 17 and 18. That is where the dead timer is counting down before the backup VRRP router takes over. Prior to that the advertisements were at around 1 second intervals.
Priority Change
When pre-emption is enabled, the VRRP backup router will take over if its priority is greater than that of the current VRRP master. This can happen when the VRRP master changes its priority value due to tracking an interface or route.
When this happens the VRRP backup router will transition to master, start sending advertisements, and send a gratuitous ARP.
In the above capture, you can see that 172.16.50.3 is taking over the mastership. If we look at details for packets 9 and 10 you will see a decrease in priority from 120 to 90.
VRRP Tracking
A VRRP router can be configured to track an interface or route. If the route is removed from the routing table, or the interface goes down, it will dynamically reduce its priority value.
Typically, tracking is only configured on the router which is normally the master.
Tracking protects against a situation where a router remains up and functional but loses its upstream interface or a routing neighbor. In this case, you may want VRRP to failover to the other router which presumably still has another connection or route available.
Using tracking to reduce the priority of a router that is already in the backup state would not achieve anything of value.
VRRP Authentication
VRRP can authenticate packets using simple (clear text) or md5 passwords. This may not provide much additional security though. It does not prevent another device from claiming to be the gateway.
It only prevents another device from trying to participate in the VRRP group you have configured.
What Happens When More Than One Router Thinks They Are VRRP Master
This can happen for many reasons, most typically a configuration mismatch between the VRRP devices.
Both will think they are the master for the VRRP group and send VRRP advertisements.
Since the two VRRP routers are not transitioning between master and backup states, they are both acting as master and ignoring the VRRP advertisements the other is sending, they are not sending gratuitous ARP messages out. This means that the VIP MAC address is not rapidly moving between ports. Because of this, the impact of more than one VRRP master may not be as bad as you might think.
It is still not ideal and should be fixed as soon as possible.
Can I Have More Than One VRRP Group On A Subnet or VLAN
Yes, absolutely. This can be another common scenario.
Have a look at the diagram below. VRRP Routers 1 through 4 are all on the same VLAN and are addressed in the same subnet. Routers 1 and 2 can use the first address as their VIP and use one VRRP group number. Routers 3 and 4 can be configured to use the last address for their VIP, for example, and use a different VRRP group number.
As long as both pairs of routers use a different group number this will work fine. They will all see each other’s VRRP traffic, but if they are configured correctly that will not be an issue.
What Next
Now that you know the basics of VRRP, you should read how to configure VRRP on Junos or troubleshoot VRRP on Junos.