White Paper

Virtual Router Redundancy Protocol (VRRP)
The Virtual Router Redundancy Protocol (VRRP) transfers the responsibility of routing from one router to another if the original router goes down. This white paper discusses how the Virtual Router Redundancy Protocol (VRRP) works. It first gives a general introduction to VRRP, then it gets into a detailed discussion about how it works, illustrated with examples. Finally, there is information on how to configure VRRP on an Passport* routing switch.

Introduction to VRRP
VRRP transfers the responsibility of routing from one router to another if the original router goes down. In other words, it provides backup for a router connecting a network to the outside world.

Routers are smart machines that are capable of making routing decisions (assuming that some type of dynamic routing is enabled) if there are any changes in the topology. On the other hand, hosts cannot make routing decisions on their own, even if there are such changes.

2

Virtual Router Redundancy Protocol (VRRP) White Paper

Hosts have a default gateway router configured, and that router is the connection between them and the outside world. Hosts on one network can communicate with hosts on any other network, provided there is a route between them. Everything seems to work well as long as the default gateway for the hosts on the LAN is up and running. But what happens if the default gateway goes down? All hosts that have this router configured as the default gateway lose connectivity to the outside world. There is a possibility that there is another router that has a connection to this LAN and to the rest of the network. Can this working router take the responsibilities of the router that went down? It can, but only if you change the default gateway on the hosts. When a host needs to communicate with a host on a different LAN, it sends the information to the default gateway IP address. If that address is down, then the connection is lost. To transfer the responsibilities of this router to the working router, you need to point the traffic to the IP address of the working router. This means that you need to change the default gateway on the hosts, and the connection will be resumed. You need to keep in mind that it will take a long time to reconfigure the default gateway on a large number of hosts. VRRP provides a solution for a situation like this one. Assume, for example, that there are two Passport routing switches: A and B. Once VRRP is enabled on these Passport switches, they go through the process of deciding who will be the master. First, both the Passport routing switches will look at the virtual router's IP address, and the one that owns it becomes the master. Thus, if the network administrator wants A to be the master, one way to accomplish this is to define the virtual router's IP address to be the same as the

IP address owned by Passport A. If the virtual router's IP address is not owned by any of the VRRP routing switches, then the routing switches compare their priorities and the higher priority owner becomes the master. If the priorities are identical, then the higher IP address wins. For example, assume that A becomes the master. In this case, B becomes the backup routing switch and waits to hear advertisements from A, which confirm that A is alive. If routing switch A goes down, its responsibilities are transferred to routing switch B, without making any change on the hosts. In case A comes up, the responsibility of the master goes back to A. Thus, with VRRP enabled on your Passport routing switches, you can transfer the responsibility of routing from one routing switch to the other without making any changes to the host configuration.

Detailed description of VRRP
An example of VRRP is presented, including the VRRP packet formation and its contents. There are different cases where VRRP routers go through the process of deciding their roles as masters and backups. Figure 1: How VRRP works on a LAN.

See Figure 1. This is a LAN with an IP address of 200.1.1.0/24. There are multiple hosts on this LAN and the LAN is connected to two Passport routing switches, RS1 and RS2. These Passport routing switches connect to router R, which allows them to go to the Internet. It is up to the network manager to decide which one of these two routing switches should be the default gateway for these hosts. In other words, which route should be taken up by the traffic going out of the LAN? (How the traffic should flow out of that LAN would depend on many factors, but that is beyond the scope of this discussion). Assume that in this case the network manager decides that RS1 will be the default gateway for the hosts on LAN 200.1.1.0/24. Thus, all the hosts on LAN 200.1.1.0/24 have RS1 configured as the default gateway. Once RS1 is configured for VRRP, it looks at the IP address of the virtual router and compares it with the IP addresses of its own interface that is configured for VRRP. As routing switch 1 owns the virtual router's IP address, it declares itself the master and sends out an advertisement to all the other VRRP routers.

Host A 200.1.1.12/24 Routing Switch 1 200.1.1.1/24 Master Host B 200.1.1.11/24 Routing Switch 2 200.1.1.2/24 Backup Host C 200.1.1.10/24 Router R

Internet

Virtual Router Redundancy Protocol (VRRP) White Paper

3

It is not necessary for the virtual IP address to be owned by one of the routing switches connecting the LAN to the outside world. The routing switches can back up a different virtual router's IP address as well. In this case, however, the process of deciding which is the master is different. As mentioned earlier, this process involves comparing two things. First, the priority; the higher priority wins. If the priority is the same, then the higher IP address wins. In the previous example, we assumed that the network administrator decided to configure the IP address of the interface of routing switch 1 as the virtual router's IP address. This way, when routing switch 1 looks at the virtual router's IP address, it realizes that it is the owner of this address, and declares itself as the master. If neither of the two own the virtual router's IP address, then they compare the priorities, and if the priorities are the same, then the IP addresses are compared. Here, you need to stop and analyze what the VRRP advertisement packet looks like before proceeding any further. VRRP packets are sent encapsulated in the IP packets. Figure 2 shows what the packet's IP header —combined with the packet itself — looks like, and what its components are.

Figure 2:
0 VERS 4 |

Contents of a VRRP Packet.
8 HLEN IDENTIFICATION 16 | SERVICE TYPE | | FLAGS | | | PROTOCOL 18 24 TOTAL LENGTH FRAGMENT OFFSET HEADER CHECKSUM 31

TIME TO LIVE

SOURCE IP ADDRESS DESTINATION IP ADDRESS IP OPTIONS ONLY VERS | TYPE AUTH TYPE | VRID | PRIORITY CHECKSUM | Advertisement Inter | IP ADDRESS (1) : : IP ADDRESS (n) AUTHENTICATION DATA (1) AUTHENTICATION DATA (2) | PADDING | Count IP Addresses

Time To Live (TTL): This is an 8-bit field;

the value in this field must be equal to 255. Any VRRP packet received with TTL not equal to 255 is discarded.
Note: The router does not forward a

specifies the master has stopped working, and the backup router needs to transition to master state.
Count IP Address: This 8-bit field specifies

datagram with VRRP multicast destination address, regardless of its TTL.
Protocol: This is an 8-bit field that

the number of IP addresses contained in this VRRP advertisement.
Authentication Type: This 8-bit field

specifies the protocol being used. The IP protocol number assigned by IANA for VRRP is 112. The following fields are in the VRRP packet:
Version (VERS): This is a 4-bit field that

specifies the authentication type being used. The only option available in Passport routing switches is no authentication.
Advertisement Interval: This 8-bit

VRRP Packet Format
The important fields in the IP header (in terms of VRRP) are explained below.
Source IP Address: This is a 32-bit field.

specifies the VRRP version. The version that is available is 2.
Type: This is a 4-bit field that specifies the type of VRRP packet. The only type is ADVERTISEMENT. Virtual Router Identifier (VRID): Identifies

field specifies the time interval between advertisements sent from the master, to let the backup router know that it is alive. It is important that all routers with the same VRID should have the same advertisement interval.
Checksum: This 16-bit field is used to

detect data corruption in the VRRP message.
IP Address(es): This is a 32-bit field. The

The source address is the primary IP address of the interface from which the packet is being sent. This is the IP address of the master router’s interface connected to the LAN.
Destination IP Address: This is a 32-bit field. It is the IP multicast address assigned by the IANA for VRRP. This multicast IP address is 224.0.0.18. All the routers running VRRP receive this multicast.

the virtual router for which this packet is reporting status.
Priority: This 8-bit field specifies the

IP address is the virtual router’s IP address that the master is backing up.
Note: At this point there is only one IP address per advertisement that the Passport switch sends out if it has VRRP activated. Authentication Data: The authentication string is not utilized in Passport VRRP routing, as there is no VRRP authentication as yet.

sending VRRP router’s priority for the virtual router. A higher value means a higher priority. The priority value of the VRRP router that owns the IP address associated with the virtual router must be 255. The default priority value is 100, but you can assign any value between 1 and 254. A priority of 0 is a special value that

4

Virtual Router Redundancy Protocol (VRRP) White Paper

The next topic to address is how the master becomes the master, and under what conditions a backup routing switch will take over the role of the master. Returning to the example, the master sends out an advertisement with the destination address as the multicast IP address, declaring itself the master. As mentioned earlier, the multicast group has the IP address 224.0.0.18, and the Passport routing switches that have VRRP running will receive this multicast packet. Passport switches with the same VRID will accept the packet, and the others will drop it. The MAC address associated with 224.0.0.18 is 01-00-5e-00-00-12, so all the packets for multicast IP are sent to this MAC address. Once the Passport routing switches receive this multicast, they will stay in backup state and monitor advertisements from the master to ensure that the master is functioning. The backup routing switch has Master_Advertisement_Timer, which starts after it receives an advertisement. This timer helps the backup routing switches to calculate if the master has gone down; if so, it declares itself as the master. The master, on the other hand, has its own timer — called

Advertisement_Timer — that starts after the Advertisement is sent out. Once the timer reaches the Advertisemet_Interval, it sends another Advertisement. The Advetisement_Interval is one second by default, but is configurable. If the backup Passport routing switches do not receive the Advertisement before the Master_Down_Interval times out, it declares itself to be the master. The Master_Down_Interval is calculated as follows:
Master_Down_Interval = (3 * Advertisement_Interval) + Skew_time Skew_time = (256 – Priority) / 256

Relating this case to the original example, let us assume that RS1 goes down for some reason. The Advertisement_Interval is set to 3 seconds. How long will it take for RS2 to takeover as the master? This can be determined from the formula:
Master_Down_Interval = ( 3 * Advertisement_Interval ) + Skew_time Skew_time = (256 – Priority) / 256

So the skew time is:
Skew_time = (256-100) / 256 = 156/256 Master_Down_Interval = ( 3 * 3) + 156/256 = (9 + 156/256)s

From the above information, you can see that the master gets three chances to send an advertisement before the backup takes over as a master. This means that VRRP (by default) will converge in 3 seconds. Following are the three situations where a backup router takes over as master:
Case 1: The master goes down due to a

The backup will give the master little more than 9 seconds, which gives the master three chances to send an advertisement, before it takes over. After (9 + 156/256) seconds, RS2 declares itself to be the master.
Case 2: This is a situation where the

problem. The main thing to realize here is that the master routing switch interface just dies. In a case like this, the backup routing switches will wait until the Master_Down_Timer times out, and then will take over as the master.

network manager either shuts down the interface connecting to the LAN, or turns off VRRP on the master routing switch. In a case like this, the master sends out an advertisement with priority equal to 0. This is a message for the backup routing switches — one needs to take up the role of the master, and not wait until the Master_Down_Timer times out. In this case, VRRP is turned off on RS1. Therefore, RS1 sends an advertisement to the multicast address with the priority equal to 0. This informs the backup routing switches that the master has gone down, and one of the backup RS needs to take over as the master. In this example, it would be RS2 that becomes the new master, and sends out an advertisement to the multicast address declaring itself as the master. Now, consider a slightly different scenario. What if there is more than one backup routing switch? See Figure 3.

Figure 3:

A Configuration with More than One Backup Routing Switch.

Host A 200.1.1.12/24

Routing Switch 1 200.1.1.1/24 Master

Internet
Host B 200.1.1.11/24 Routing Switch 2 200.1.1.2 Backup Router R

Host C 200.1.1.13/24

Routing Switch 3 200.1.1.10/24 Backup

Virtual Router Redundancy Protocol (VRRP) White Paper

5

In this case, there are two backup Passport routing switches, with IP addresses 200.1.1.2/24 and 200.1.1.10/24. The master determination (when the original master is alive) is done in the same way as mentioned earlier. The difference is that now there are two backup routers, RS2 and RS3. When the master routing switch RS1 goes down, the Master_Down_ Timers of the backup routing switches time out, and they declare themselves as master. Both RS2 and RS3 send out advertisements to the multicast address assuming that they are the masters. But there can be only one master. To determine who will be the master, both Passport routing switches compare their priorities; the routing switch with the higher priority becomes master. If the priorities are the same, then the higher IP address (RS3 in this case) becomes the master routing switch. Because the IP addresses have to be different, there cannot be a problem in determining the master; one IP address is going to be greater than the other. If the original master routing switch — RS1 — comes up again, it sends out an advertisement with priority equal to 255. When the virtual master routing switch looks at this advertisement, it compares the priority with its own. Since its own priority is lower then 255, it goes back to the backup state. In this example, RS1’s priority takes precedence over RS3’s priority; RS3 thus goes back to the backup state.
Case 3: There can be another case where

Figure 4:

The Connections between the Routers are Not the Only Critical Connections.

Host A 200.1.1.12/24

Routing Switch 1 200.1.1.1/24 206.1.1.1/24 Master Critical IP Address

Internet
Host B 200.1.1.11/24 Router R

Host C 200.1.1.13/24

Routing Switch 2 200.1.1.2/24 Backup

Routing Switch 3

the first hop and the second hop is also very important. If that connection goes down, the master routing switch is not able to perform its function properly. In a case like this, the IP address of the interface that connects the first hop to the second hop is called the critical IP address. If the critical IP address goes down, it does not effect the connection between the hosts, and the master and the hosts keep on forwarding traffic to this particular routing switch (as it is the master). This adds an extra hop between the source and the destination because the master forwards the traffic to the backup routing switch that has a route to the destination. In a case like this, you can configure the VRRP RS with the critical IP address that tells the VRRP router to give up its master status if the interface that owns the critical IP address goes down (see Figure 4). In this example, assume that the master is RS1. RS1 connects to R, and R forwards the traffic to the Internet. If the connection between RS1 and R is lost, the hosts on network 200.1.1.0/24 will lose the route to the Internet through RS1. RS1 sends the traffic to RS2, as that is the other route RS1 has in its routing table. This adds an extra hop for the traffic going to the Internet, as the traffic first goes to RS1 and then to RS2. The way around this is

to define a critical IP address on the VRRP routers (206.1.1.1/24 in this case); if that IP address goes down, the master routing switch steps down from its position. It declares that another routing switch needs to take up the role of the master by sending out an advertisement with the priority equal to 0. In this case, you can see that the backup routing switch becomes the master routing switch. If the master does not own the virtual router's IP address, then the advertisements it sends out has its original priority (and not 255). This way, when the original master comes back up, it — assuming it was the owner of the virtual router IP address — sends out an advertisement with a priority of 255. When the acting or virtual master receives this high priority advertisement it goes back to the backup state. When routing switch A’s critical connection comes up again, routing switch B reverts to backup mode.

the connection between the host and the first hop router may be good, but that might not be the only critical connection between the two networks. For instance, it is possible that the connection between

6

Virtual Router Redundancy Protocol (VRRP) White Paper

From the Perspective of the Host
All the decisions regarding who is going to be the master for a particular LAN are made on the routing switches. The host is oblivious to the whole process. When a host must send a message to some host on a different LAN connected by the VRRP routers, it sends an ARP request for the MAC address of the default gateway. Normally, when a host “ARPs for” (resolves) the MAC address, the routing switch replies with its own physical address. But when VRRP is deployed, the master replies with a virtual MAC address instead of its actual MAC address. The benefit of this virtual MAC address is that when the master goes down and a backup routing switch becomes the master, it does not make any difference to the host because it uses the same MAC address. The virtual MAC address belongs to the virtual IP address, which belongs to the master for that VRID. For instance, see Figure 5. Host A wants to send a message to Host D. In this case, RS1 is acting as the master, and RS2 is the backup. Host A will ARP for the MAC

address to the default gateway whose IP address is 200.1.1.1/24. In return, RS1 replies with the virtual router's MAC address (which is 00-00-5E-00-01<VRID>). Then, the host sends the packets to this MAC address. This is how the message is routed out of the LAN. If RS1 goes down, and RS2 takes over as the virtual master, all forwarding and ARP tasks are performed by RS2. Therefore, when host A sends an ARP for the MAC address to the default gateway, RS2 replies to that with the virtual router's MAC address (00-00-5E-00-01<VRID>). Another scenario is that the host already had an ARP table and knows that if it needs to send any information to the 200.1.1.1/24 IP address (which is its default gateway), it will send it to the 0000-5E-00-01-<VRID> MAC address. So, it sends it to the virtual router's MAC address, and the information flows via RS2 instead of RS1. For the host, it is all the same. But if the routing switches were to reply to ARPs with their physical addresses, then the situation would be totally different.

Load Sharing
Referring to Figure 1 in our initial example, the master is the one that is forwarding all the traffic. The other routing switch is just sitting there as a backup. To utilize the bandwidth efficiently, we can create two different VRIDs, such that half of the traffic goes through RS1 and the other half goes through RS2. To do this, we configure RS1 to be the default gateway for a certain number of hosts, and RS2 for the rest of them. In Figure 6 (page 8), RS1 is the default gateway for the three hosts at the top, and RS2 is the default gateway for the three hosts at the bottom. There are two VRIDs: 1 and 2. RS1 (with VRID 1) is the master for host A, B and C, and backup for the hosts D, E and F. On the other hand, RS2 (with VRID 2) is the master for the hosts D, E and F, and the backup for A, B and C. This way, the traffic going out of the LAN 200.1.1.0/24 is shared between the two routing switches, thus efficiently utilizing the routing switches and bandwidth.

Figure 5:

The Benefits of Using a Virtual MAC Address.

Host A 200.1.1.12/24 Routing Switch 1 200.1.1.1/24 Master Host B 200.1.1.11/24 Routing Switch 2 200.1.1.2/24 Backup Host C 200.1.1.10/24 Router R

Host D

Virtual Router Redundancy Protocol (VRRP) White Paper

7

Critical IP address
Depending on your topology, you can also define a critical IP address in the configuration of the VRRP router. The critical IP address is the address of an interface link that affects the performance of the master routing switch, if this link goes down. If the interface that owns the critical IP address goes down, the routing switch steps down from being the master, and sends out an advertisement with priority equal to 0. If we do not define the critical IP address, the master remains as master, and (depending on the topology) that might not be the best path anymore. This is explained in an example related to Figure 6. You can also define critical IP addresses on the backup routing switches. In case the master goes down, one of the backup routing switches takes its place. If the critical IP address of the backup is down, it does not declare itself as the master. You can only define one critical IP address on one Passport routing switch.

When one host sends an ARP for the IP address owned by a host that belongs to a subnet on the other side of the routing switch, the routing switch replies with its own interface MAC address. It then forwards the packet to the destination host. With VRRP enabled, when the master receives an ARP request, it replies with the virtual router's MAC address and not the actual physical address; thus, when the responsibilities of master are switched to a different routing switch, the MAC address is the same.

Initialize: When VRRP is enabled, the first stage the routing switch goes through is the initialization stage. This involves the following steps:

The routing switch looks at the virtual IP address and determines if it is the master. If it owns that address, it realizes it is the master, and that its priority is equal to 255. If P is equal to 255, then the VRRP router: • Sends an ADVERTISEMENT declaring itself as the master • Broadcasts a gratuitous ARP with the virtual router MAC address (00-00-5E-00-01-<VRID>) to all the IP addresses associated to the virtual router's IP address • Starts the advertisement timer • Transitions to a master state If the priority is between 0 and 255, then the VRRP router: • Starts the Master_Down_Timer • Transitions to a backup state

A Brief Description of the Different Stages of VRRP Routers
With the understanding of how VRRP works, we can summarize the different stages through which a VRRP router goes. There are three different stages a VRRP router goes through: • Initialize • Backup • Master

How Proxy ARP Works with VRRP
a Passport routing switch running proxy ARP allows the hosts on different networks to communicate with each other as if they were on the same network. The routing switch or gateway keeps routing tables with information on the subnets on both sides.

Figure 6:

R1 is the Gateway for Hosts A – C, and R2 is the Gateway for Hosts D – F.

Host A

Host B Routing Switch 1 200.1.1.1/24 Master – VRID 1 Backup – VRID 2 Host C Default gateway on network is 200.1.1.1/24 Router R

Internet

Host D Routing Switch 2 200.1.1.2/24 Backup – VRID 1 Master – VRID 2

Host E

Host F Default gateway on network is 200.1.1.2/24

8

Virtual Router Redundancy Protocol (VRRP) White Paper

The Backup State
In the backup state, the VRRP router monitors the master routing switch to confirm that it is alive. While it does that, it has the following responsibilities: • Must not respond to ARP requests or accept packets for the IP address(s) associated with the virtual router • Must discard packets destined for the virtual router's MAC address • Start the Master_Down_Timer and set the Master_Down_Interval If an advertisement is received that has P equal to 0, or if the Master_Down_Interval times out, then the VRRP router: • Sends an advertisement declaring itself as the master • Broadcasts a gratuitous ARP with the virtual router's MAC address (00-005E-00-01-<VRID>) to all the IP addresses associated with the virtual router's IP • Starts the advertisement timer • Transitions to master state If an advertisement is received that has a higher priority, or a higher IP address (if the priority is the same), then the VRRP router goes back to the backup state. If an advertisement is received that has a lower priority or lower IP address if the priority is the same then the VRRP router discards the advertisement and stays in the master state.

The Master State
In the master state, the VRRP router must: • Respond to ARP requests, or accept packets for the IP address or addresses associated with the virtual router • Not accept packets addressed to the IP address associated with the virtual router if it is not the owner of the IP address • Forward packets destined for the virtual router's MAC address If a shut down event is received, then the VRRP router sends out an advertisement with 0 priority. If an advertisement with a greater priority or higher IP address (if the priority is the same) is received by the virtual master, it goes through the following process. • Transition to backup state • Cancel advertisement timer • Start the Master_Down_Timer If an advertisement is received with the priority lower than local priority, or with a lower IP address if the priority is the same then the VRRP router discards the advertisement.

After you are in the configuration context, you can configure any isolated routing switch port for VRRP. As a network administrator, you need to decide what VRID to assign to the interfaces of the VRRP router. By default, the advertisement interval is one second, but you can configure it differently if you want. The important thing is that the advertisement interval for all the routing switches should be the same on the same VRID. If it is different, then it could cause disruptions in the network, which could cause problems. For example, assume routing switch 1 is the master and routing switch 2 is the backup. Assume the Advertisement_Interval on routing switch 1 is 10s and on routing switch 2 is 1s. Since routing switch 1’s Advertisement_Interval is 10s, it will send an advertisement after 10s. But as routing switch 2 and routing switch 3’s Advertisement_Interval is 1s, after (3S+Skew_Time) it declares itself as a master and sends an advertisement out. Routing switch 1 discards the advertisement, as it has the higher priority. We now have two virtual routers, and duplication might occur. When routing switch 1 sends out its advertisement after 10s, routing switch 2 steps down, as 1 has a higher priority. But the whole process starts again after (3S+Skew_Time) seconds. Therefore, it is important to configure that same advertisement_interval on all the VRRP routers with the same VRID.

Configuring VRRP on Passport
Following are the command line interface (CLI) commands you useto configure VRRP:
ethernet <ports> ip vrrp <vrid> address <ipaddr> ethernet <ports> ip vrrp <vrid> adver-int <seconds> ethernet <ports> ip vrrp <vrid> critical-ip <ipaddr> ethernet <ports> ip vrrp <vrid> delete ethernet <ports> ip vrrp <vrid> disable ethernet <ports> ip vrrp <vrid> enable ethernet <ports> ip vrrp <vrid> priority <prio>

First, to get into the configuration context, type the following command:
# config

Virtual Router Redundancy Protocol (VRRP) White Paper

9

The priority is another parameter you can define; it is set to 100 by default. If you configure it differently, then you can decide who will be the next master if the master goes down. As mentioned earlier, priority is the first thing the backup routing switches compare, to determine the master. The one with the higher priority becomes the master. You also need to enable VRRP by using the enable command:
ethernet <ports> ip vrrp <vrid> enable

stand about the example is that the goal is to inform you of how you can configure the Passport routing switch for VRRP routing, not how you should, as that depends on a number of factors. In this example (see Figure 7), there are two networks: 205.1.1.0/24 and 207.1.1.0/24. To keep things simple, assume that all the routing switches in the topology have the same kind of links. To send a message from network 205.1.1.0/24 to 207.1.1.0/24, the best route seems to be through RS1, as the two LANs are two hops away. In case RS1 goes down, the next best route would be through RS2, as the LANs are three hops away. The network administrator wants to have RS1 as the master. Also, the critical IP address for RS1 is the interface connecting RS1 to R, because if that goes down, the master is not able to perform its responsibilities.

The configuration for RS1 is as follows, assuming that the Ethernet interface that is being configured for VRRP is 1/1:
ethernet 1/1 ip vrrp 1 address 205.1.1.1/24 ethernet 1/1 ip vrrp 1 adver-int 3 ethernet 1/1 ip vrrp 1 critical-ip 201.1.1.1/24 ethernet 1/1 ip vrrp 1 enable

You can disable VRRP by using the disable command.
ethernet <ports> ip vrrp <vrid> disable

To understand how to configure VRRP on a Passport routing switch, consider the following example. This example looks at how to configure the Passport routing switches for VRRP. One thing to under-

The configuration for RS1 shows that the virtual router's IP address is 205.1.1.1/24, and the advertisements should be 3 seconds apart. If the interface that owns IP address 201.1.1.1/24 goes down, then RS1 is no longer the master routing switch, and one of the backup routing switches takes the responsibility of being the master. It is not important to define the priority here, because RS1 is going to be the master, as it owns the virtual router's IP address. Therefore, it will automatically get the priority value of 255. Priority could prove important for the backup routers. The configuration for RS2 is as follows, assuming that the Ethernet interface that is being configured for VRRP is 2/3:
ethernet 2/3 ip vrrp 1 address 205.1.1.1/24 ethernet 2/3 ip vrrp 1 adver-int 3

Figure 7:

Example of Setting up Passport Routing Switches for VRRP Routing.

Host A

Routing Switch 1 201.1.1.1/24 205.1.1.1/24 Critical IP Address Master

ethernet 2/3 ip vrrp 1 enable ethernet 2/3 ip vrrp 1 priority 250
Internet

Host B

Routing Switch 2 205.1.1.2/24 Backup

Routing Switch 4

Router R 207.1.1.1/24

Host C

Routing Switch 3 205.1.1.3/24 Backup

Routing Switch 5

RS2 goes into backup mode, and starts the Advertisement_Down_Timer after the initialization mode, because it does not own the virtual router's IP address. It is a backup for the virtual router's IP address, 205.1.1.1/24. The Advertisement_Interval is the same as RS1. It is very important that it matches the advertisement_interval for reasons mentioned earlier. The priority is 250. The goal here is that the priority of RS2 should be higher than RS3, so that if RS1 goes down, RS2 takes over as the master. There is no critical IP address defined here, because there are two routing

10

Virtual Router Redundancy Protocol (VRRP) White Paper

switches that can take traffic from RS2 to R. If the one preferred out of the two goes down, routing can still be done through the other one. The configuration for RS3 is as follows, assuming that the ethernet interface that is being configured for VRRP is 1/3:
ethernet 1/3 ip vrrp 1 address 205.1.1.1/24 ethernet 1/3 ip vrrp 1 adver-int 3 ethernet 1/3 ip vrrp 1 enable ethernet 1/3 ip vrrp 1 priority 210 ethernet 1/1 ip vrrp 1 critical-ip 209.1.1.1/24

Here, we should notice that the priority of this interface is lower than the priority of RS2. Therefore, if RS1 goes down, RS2 is the new master. If we had left the priority configuration set to the default (which is 100), then the new master would be RS3, because the IP address of the VRRP interface for VRID 1 of RS3 is greater than the IP address of the VRRP interface for VRID 1 of RS2. We have also defined a critical IP address of 209.1.1.1/24. If this interface is down, RS3 does not declare itself as a master.

Summary
This paper examined what VRRP is and how it works. It is a protocol that provides backup for routing switches connecting a LAN to the outside world (assuming there is more than one routing switch working in the same context). One routing switch becomes the master and

the rest act as backups. The process of deciding who will be the master involves three stages – initialize, backup and master. In the initialize stage, VRRP routers compare the virtual router's IP address to their interface's IP addresses. If one of them owns the virtual router's IP address, it declares itself to be the master and assumes a priority of 255. After the rest of the routing switches receive this advertisement, they go in the backup state and start the Advertisement_ Down_Timer. If no one owns the virtual router's IP address, then they all go into the second stage (which is the backup stage), and start the Advertisement_ Down_Timer. If the timer times out, all of them declare themselves as the master, and send advertisements with their priority (priority 255 is only used by the router who owns the virtual IP address). If there is more than one backup routing switch, they receive advertisements from each other, and compare with their own information. The routing switch with the highest priority becomes the master, and the rest step down and go back to the backup stage. If the priorities are the same, then the owner of the highest IP address wins. If the owner of the address comes up, it sends out an advertisement with priority = 255. The virtual master steps down, and the owner of the address becomes master. To route traffic through the master, the hosts ARP for the MAC address of their default gateway, which is also the virtual router's IP address. The virtual master replies with the virtual MAC address, instead of its own physical address. This way, when the original master goes down, the new master routing switch becomes the owner of the virtual MAC address. Thus, the host can still send traffic to the virtual router's MAC address and no change has to be made on the host.

References
1. RFC 2338 2. Internetworking with TCP/IP Vol. 1; Douglas E. Comer, 3rd Edition

Acronym Glossary
ARP CLI IANA IP LAN MAC TTL VERS VRID VRRP Address Resolution Protocol Command Line Interface Internet Assigned Number Authority Internet Protocol Local Area Network Media Access Control Time to Live Version Virtual Router Identifier Virtual Router Redundancy Protocol

Virtual Router Redundancy Protocol (VRRP) White Paper

11

For more sales and product information, please call 1-800-822-9638. United States Nortel Networks 4401 Great America Parkway Santa Clara, CA 95054 1-800-822-9638 Canada Nortel Networks 8200 Dixie Road Brampton, Ontario L6T 5P6, Canada 1-800-466-7835 Europe, Middle East, and Africa Nortel Networks Les Cyclades - Immeuble Naxos 25 Allée Pierre Ziller 06560 Valbonne France 33-4-92-96-69-66 Asia Pacific Nortel Networks 151 Lorong Chuan #02-01 New Tech Park Singapore 556741 65-287-2877 Caribbean and Latin America Nortel Networks 1500 Concord Terrace Sunrise, Florida 33323-2815 U.S.A. 954-851-8000

http://

www.nortelnetworks.com

*Nortel Networks, the Nortel Networks logo, the Globemark, How the World Shares Ideas, Unified Networks, and Passport are trademarks of Nortel Networks. All other trademarks are the property of their owners. © 2000 Nortel Networks. All rights reserved. Information in this document is subject to change without notice. Nortel Networks assumes no responsibility for any errors that may appear in this document. Printed in USA.

WP3340-B / 04-00