banner
bladedragon

bladedragon

HomeArchivesAbout

Introduction to VRRP

#ICT#安全30
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
VRRP (Virtual Router Redundancy Protocol) is a routing protocol that solves the problem of single point failure in LANs by creating a virtual router with multiple backup routers. It allows for faster link switching compared to dynamic routing protocols and can be used when dynamic routing is not supported. VRRP routers are devices running VRRP, and a virtual router consists of a group of routers providing a virtual IP address as the gateway for the internal network. VRRP has three states: initial, active, and backup. The protocol uses advertisement messages and can be used in two main modes: master/backup and load balancing. VGMP (VRRP Group Management Protocol) is introduced to ensure consistency in the states of VRRP backup groups on firewalls. It manages the switching of all VRRP backup groups within a management group.

Background#

With the booming development of mobile office, online shopping, instant messaging, internet finance, internet education, and other businesses, the number and importance of services carried by the network are increasing. Therefore, ensuring uninterrupted transmission of the network has become an urgent problem to be solved in the process of network development.

To address this issue, one solution is to use a redundant backup mechanism to avoid single point of failure caused by traditional networking, so as to perform timely link switching and ensure smooth business operation when a router fails.

Traditional solutions

  1. Equipping multiple routers to solve single point of failure.
  2. Using dynamic routing protocols to solve multi-gateway conflicts and achieve link fallback.

However, traditional solutions still have several problems:

  1. Some dynamic routing protocols have slower link switching speeds due to the use of broadcast packets.
  2. Dynamic routing may not be supported in many scenarios.

As a result, VRRP emerged.

Basic Concepts of VRRP#

VRRP

Virtual Router Redundancy Protocol (VRRP) is a routing protocol proposed by IETF to solve the problem of single point of failure in configuring static gateways in a local area network.

VRRP can virtualize multiple routers into a virtual router without changing the network configuration, and use the IP address of the virtual router as the default gateway to achieve gateway backup.

Advantages#

The link protection mechanism using VRRP has a shorter link switching time compared to using broadcast packets of dynamic routing protocols, and it also compensates for the link protection in cases where dynamic routing cannot be used.

Glossary#

image

  • VRRP Router: A device running VRRP, which may belong to one or more virtual routers.
  • Virtual Router (Backup Group): A group of routers in the same broadcast domain organized into a virtual router, collectively providing a virtual IP address as the gateway address for the internal network.
  • Virtual IP Address: The IP address of the virtual router. A virtual router can have one or more IP addresses configured by the user.
  • IP Address Owner: If a VRRP router uses the IP address of the virtual router as the real interface address, the device is the IP address owner.
  • Virtual MAC Address: The MAC address generated by the virtual router based on the virtual router ID. When the virtual router responds to an ARP request, it uses the virtual MAC address instead of the real MAC address of the interface.
  • Master IP Address: A primary IP address selected from the real IP addresses of the interface, usually the first configured IP address. The VRRP broadcast packet uses the master IP address as the source address of the IP packet.
  • Master Router: Among multiple routers in the same backup group, only one is in active state and can forward packets with the virtual IP address as the next hop.
  • Backup Router: Among multiple routers in the same backup group, all routers except the master router are backup routers in standby state.

State Machine

  • VRRP has three states: initialization state, active state, and backup state. The state transition process is as follows:

image

Protocol Messages

VRRP has only one type of message: Advertisement message. The destination IP address is 224.0.0.18 (multicast address), the destination MAC address is 01-00-5e-00-00-12, and the protocol number is 112.

Next, we will introduce the two main working modes of VRRP: master/backup and load balancing.

VRRP Master/Backup#

Process#

Master Election#

Election rules: 1. Compare priorities. 2. If priorities are the same, the existing master remains as the master. 3. If there is no master, compare interface IP addresses and select the one with the higher address as the master.

Backup Group State Maintenance#

  1. The master periodically sends VRRP advertisement messages to the devices in the group to notify them of its normal state.
  2. Conditions for master/backup switching: 1. The master voluntarily relinquishes its role by sending an advertisement message with a priority of 0. 2. The master fails, and the backup routers wait for the Master_Down_Interval timer to expire to elect a new master. The time it takes to switch is called Skew_Time, calculated as (256 - Backup device's priority) / 256 (in seconds).
  3. The value of the Master_Down_Interval timer is 3 × Advertisement_Interval + Skew_Time (in seconds).

Master/Backup Switchover#

  1. If the original failed master router recovers and receives a VRRP message from Router B with a lower priority, Router A immediately preemptively becomes the master.

    Preemptive mode:

    • By default, a backup router with a higher priority can preempt the position of a lower priority master router. However, if the IP address owner is available, it is always in preemptive state and becomes the master device.
    • Note that the preemptive delay is set to 0 by default, but to prevent frequent switching and traffic interruption in an unstable network, a slightly longer delay can be set.

  2. Note: If there is a failure in the upstream link of VRRP, the master/backup advertisement will not cause a master/backup switch.

    Solution: Use VRRP's linkage function to monitor the failure of the upstream interface or link and perform active master/backup switching.

image

VRRP Load Balancing#

  • Load balancing refers to multiple VRRP backup groups simultaneously handling business forwarding to solve the problem of uneven traffic distribution and excessive load on the master.
  • Load balancing requires the establishment of multiple VRRP backup groups, and the master devices of each backup group are distributed on different devices. A single device can join multiple backup groups and play different roles in different backup groups.

image

Introduction to VGMP#

Although VRRP can solve single point of failure and achieve master/backup backup, when configuring firewalls, due to the special nature of firewall functions, the traditional VRRP method cannot achieve consistency of the master and backup firewall states. It cannot achieve VRRP state consistency and backup of session table states.

In this case, we need to introduce VGMP (VRRP Group Management Protocol).

VGMP introduces the concept of VRRP management groups, which include multiple VRRP backup groups on the same firewall and are managed by the management group. By controlling the switching of the states of all VRRP backup groups, the management group ensures that all VRRP backup groups in the group have consistent states.

Basic Principles#

  • When VGMP on the firewall is in Active/Standby state, all VRRP backup groups in the group are in Active/Standby state.
  • VGMP in Active state also periodically sends HELLO messages to the standby end to notify the standby end of its own running state (including priority, VRRP member state, etc.).
  • The default period for VGMP HELLO message transmission is 1 second. When the standby end does not receive HELLO messages sent by the peer for three HELLO message periods, it considers that the peer has failed and switches itself to the Active state.

image

VGMP Management Mechanism#

State Consistency Management

The VGMP management group controls the unified switching of all VRRP backup groups.

Preemptive Management

When the original failed master device recovers and its priority is restored, it can preemptively become the master again.

The method of using VGMP to achieve firewall backup and automatic failover to ensure business continuity is also part of the firewall's dual-machine hot backup technology. Due to limited space, we will not elaborate on it here.

Summary#

Today, we started with a real-world problem and briefly introduced using VRRP for routing redundancy backup. In addition, based on the characteristics of firewalls, we introduced the concept of VGMP, which is a glimpse into the mystery of firewalls. Network security is becoming an increasingly important part of our lives, and we will continue to discuss security knowledge next time we have the opportunity.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.