There are a number of methods that an end-host can use to determine its first hop router towards a particular IP destination. such as Routing Information Protocol [RIP] or OSPF version 2 [OSPF] or using a statically configured default route. Running a dynamic routing protocol on every end-host may be infeasible for a number of reasons, including administrative overhead, processing overhead, security issues, or lack of a protocol implementation for some platforms. The use of a statically configured default route is quite popular;
It minimizes configuration and processing overhead on the end-host and is supported by virtually every IP implementation. However, this creates a single point of failure. Loss of the default router results in a catastrophic event, isolating all end-hosts that are unable to detect any alternate path that may be available.
WAN Ip addr 10.10.10.11/24 Def GW 10.10.10. 3 Ip Addr 10.10.10.12/24 Def GW 10.10.10. 4 IP Addr 10.10.10.3/24 IP Addr 10.10.10.4/24 PC-1 PC-2
The Virtual Router Redundancy Protocol (VRRP) is designed to eliminate the single point of failure inherent in the static default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN.
The VRRP router controlling the IP address(es) associated with a virtual router is called the Master, and forwards packets sent to these IP addresses. The election process provides dynamic fail-over in the forwarding responsibility should the Master become unavailable. Any of the virtual router’s IP addresses on a LAN can then be used as the default first hop router by end-hosts. The advantage gained from using VRRP is a higher availability default path without requiring configuration of dynamic routing or router discovery protocols on every end-host. (rfc 3768)
WAN Ip addr 10.10.10.11/24 Def GW 10.10.10.1 (vrrp ip) Ip Addr 10.10.10.12/24 Def GW 10.10.10.1 (vrrp ip) IP Addr 10.10.10.3/24 Vrrp ip 10.10.10.1 IP Addr 10.10.10.4/24 Vrrp ip 10.10.10.1 VRRP backup Router VRRP master router VRRP Master PC-1 PC-2
VRRP Router : A router running the Virtual Router Redundancy Protocol.
Virtual Router : An abstract object managed by VRRP that acts as a default router for hosts on a shared LAN. It consists of a Virtual Router Identifier and a set of associated IP address(es) across a common LAN. A VRRP Router may backup one or more virtual routers.
IP Address Owner : The VRRP router that has the virtual router’s IP address(es) as real interface address(es). This is the router that, when up, will respond to packets addressed to one of these IP addresses for ICMP pings, TCP connections, etc.
Virtual Router Master The VRRP router that is assuming the responsibility of forwarding packets sent to the IP address(es) associated with the virtual router, and answering ARP requests for these IP addresses. Note that if the IP address owner is available, then it will always become the Master.
Virtual Router Backup The set of VRRP routers available to assume forwarding responsibility for a virtual router should the current Master fail.
The virtual router MAC address is used as the source in all periodic VRRP messages sent by the Master router. A virtual router is defined by its virtual router identifier (VRID) and a set of IP addresses. To minimize network traffic, only the Master for each virtual router sends periodic VRRP Advertisement messages. A Backup router will not attempt to preempt the Master unless it has higher priority. This eliminates service disruption unless a more preferred path becomes available. VRRP packets are sent encapsulated in IP packets. They are sent to the IPv4 multicast address assigned to VRRP.
VRRP Packet Format
IP Field Descriptions & Vrrp Parameter definitions
Source Address : The primary IP address of the interface the packet is being sent from.
Destination Address :The IP multicast address as assigned by the IANA for VRRP is: 220.127.116.11
TTL : The TTL MUST be set to 255. A VRRP router receiving a packet with the TTL not equal to 255 MUST discard the packet.
Protocol : The IP protocol number assigned by the IANA for VRRP is 112 (decimal).
Version : The version field specifies the VRRP protocol version of this packet.
Type : The type field specifies the type of this VRRP packet. The only packet type defined in this version of the protocol is: 1 ADVERTISEMENT
Virtual Rtr ID (VRID) : The Virtual Router Identifier (VRID) field identifies the virtual router this packet is reporting status for. Configurable item in the range 1-255 (decimal). There is no default.
Priority : The priority field specifies the sending VRRP router’s priority for the virtual router. Higher values equal higher priority. This field is an 8 bit unsigned integer field. VRRP routers backing up a virtual router MUST use priority values between 1-254 (decimal). The default priority value for VRRP routers backing up a virtual router is 100 (decimal).
The priority value zero (0) has special meaning indicating that the current Master has stopped participating in VRRP. This is used to trigger Backup routers to quickly transition to Master without having to wait for the current Master to timeout. The value of 0 (zero) is reserved for Master router to indicate it is releasing responsibility for the virtual router.
Authentication Type : ERS5500 series has no authentication.
C ritical-ip <ipaddr> : A locally configured IP address to use as a trigger for releasing control of the virtual router. Critical IP is not advised to configure with backup-master feature at both 5500 and 8600 series.
Advertisement Interval (Adver Int) : The Advertisement interval indicates the time interval (in seconds) between ADVERTISEMENTS. The default is 1 second. This field is used for troubleshooting misconfigured routers.
Skew_Time : Time to skew Master_Down_Interval in seconds.
Calculated as: ( (256 - Priority) / 256 )
Master_Down_Interval : Time interval for Backup to declare Master down (seconds). Calculated as: (3 * Advertisement_Interval) + Skew_time
Preempt_Mode : Controls whether a higher priority Backup router preempts a lower priority Master. Values are True to allow preemption and False to prohibit preemption. Default is True. Note: Exception is that the router that owns the IP address(es) associated with the virtual router always preempts independent of the setting of this flag.
Checksum : The checksum field is used to detect data corruption in the VRRP message. The checksum is the 16-bit one’s complement of the one’s complement sum of the entire VRRP message starting with the version field. For computing the checksum, the checksum field is set to zero. See RFC 1071 for more detail [CKSM].
Fast advertisement : is proprietary to ERS supporting an advertising interval from 200 to 1000 ms with a default value of 200ms
used to communicate between VRRP routers.
use the following addresses:
Destination IP address:
Destination MAC address:
Source MAC address
Wait to be enabled.
MUST NOT respond to ARP requests for the IP address associated with the virtual router.
MUST discard packets with a destination MAC address equal to the virtual router MAC address.
MUST NOT accept packets addressed to the IP address associated with the virtual router.
Transition to the Master state.
MUST respond to ARP requests for the IP address associated with the virtual router.
MUST forward packets with a destination MAC address equal to the virtual router MAC address.
MUST NOT accept packets addressed to the IP address associated with the virtual router if it is not the IP address owner. (included at the RFC, not seen at the Nortel)
MUST accept packets addressed to the IP address associated with the virtual router if it is the IP address owner.
Upon receipt of a VRRP packet a VRRP router should:
Compare VRID in packet to internal VRIDs.
Don’t match: discard packet.
Do match: compare priorities.
Compare VRRP priority.
Packet priority higher: transition to Backup.
Internal priority higher: transition to Master.
Equal: compare sender’s IP address. Highest IP address is the master.
Events that result in a Backup VRRP router becoming Master.
Receive a VRRP packet with priority lower than internal priority.
Backup does not receive a VRRP packet within the Master_Down_Interval
VRRP Master sends a packet with priority 0 indicating it is relinquishing control of the virtual router.
VRRP-backup (both VLANs) VRRP-master (both VLANs) Q01737679 problem Packet fro PC1 to PC2 (dest MAC = VRRP MAC) Based on MLT distribution Packet could be sent to backup As 5x00 is not owner of the VRRP MAC Packet is switched to VRRP Master Packet should be routed to PC2 due to CR Q01737679 (5x00 hardware limitation) packet is dropped when coming from IST to SMLT (when SMLT is in state “SMLT”) Layer 2 Switch PC-2 PC-3 Layer 2 Switch PC-1
-master VRRP-master (both VLANs) Solution for Q01737679 Packet fro PC1 to PC2 (dest MAC = VRRP MAC) Based on MLT distribution Packet could be sent to backup 5x00 now owner of the VRRP MAC Packet is routed to PC2 VRRP-backup (both VLANs) Layer 2 Switch PC-2 PC-3 Layer 2 Switch PC-1
VRRP-backup-master VRRP-master Link down Link down situation Layer 2 Switch PC-2 PC-3
VRRP-backup-master VRRP-master VRRP hello VRRP hello not forwarded due to CR Q01990799 VRRP MAC aged – not re learned as no VRRP hellos arriving Packet fro PC1 to VRRP MAC flooded as no FDB entry exists !!! Flooding of all packets on L2 switch Layer 2 Switch PC-2 PC-3
VRRP-backup-master VRRP-master VRRP hello VRRP hello all 10 sec from backup master CR Q01990790 VRRP MAC learned all 10 sec Packet fro PC1 to VRRP MAC CR Q01990790 resolves the flooding issue Layer 2 Switch PC-2 PC-3
Packet to the Server PC sends Packet to default Gateway which is VRRP MAC address 00:00:5e:00:01.xx Packet is sent either the blue or the red path depending on the MLT distribution If blue path is used - Packet is routed by the D1 as it is VRRP master and the packet is destined to VRRP MAC address If red path is used - Packet is routed by the D2 as it is VRRP backup-master and the packet is destined to VRRP MAC address Packet is forwarded to destination PC-1 5x00 D2 . 5x00 D1 . Layer 2 Switch Layer 2 Switch 8300 8300 NetApp
Packet from the Server ( DAW behavior ) Server sends Packet to MAC address where it received the packet from not the default gateway VRRP address e.g. MAC address of D1 Packet is sent either the blue or the red path depending on the MLT distribution If blue path is used - Packet is routed by the D1 as the destination MAC is its own MAC If red path is used - Packet has D1 MAC therefore must be sent to D1 across IST Packet is switched not routed (VRRP cannot be used) Packet is forwarded to destination If red path is used - Packet cannot be forwarded to SMLT coming from the IST. Therefore packet is lost PC-1 5x00 D2 . 5x00 D1 . Layer 2 Switch Layer 2 Switch 8300 8300 NetApp
Packet from the Server re-transmission - 1 Server sends Packet to MAC address where it received the packet from not the default gateway VRRP address e.g. MAC address of D1 Packet is sent either the blue or the red path depending on the MLT distribution If red path is used - Packet has D1 MAC therefore must be sent to D1 across IST Packet is switched not routed (VRRP cannot be used) If red path is used - Packet cannot be forwarded to SMLT coming from the IST. Therefore packet is lost PC-1 5x00 D2 . 5x00 D1 . Layer 2 Switch Layer 2 Switch 8300 8300 NetApp
Packet from the Server re-transmission - 2 Server sends Packet to VRRP MAC address Packet is sent either the blue or the red path depending on the MLT distribution If red path is used - Packet has VRRP MAC therefore D2 will use the backup-master function to route the packet Packet is forwarded to destination PC-1 5x00 D2 . 5x00 D1 . Layer 2 Switch Layer 2 Switch 8300 8300 NetApp
Due to the hardware limitation in the 5x00 (Q01737679) the VRRP backup-master function must be used in an IST/SMLT design with 5x00s.
Another limitation prevents VRRP hellos to be forwarded by the VRRP backup-master (Q01990799). To overcome this limitation the backup-master will generate VRRP hellos all 10 sec itself (Q01990790).
Therefore the 5x00 must not be used in a non-SMLT design with the VRRP backup master-function enabled
ERS Vrrp trap Messages
Transition Type : 1 - None 2 - Master to Backup 3 - Backup to Master 4 - Initialize to Master 5 - Master to initialize 6 - Initialize to Backup 7 - Backup to Initialize 8 - Backup to Backup Master 9 - Backup Master to Backup
Transition Cause : 1 - None 2 - Higher priority advertisement received 3 - Shutdown received 4 - VRRP Address and Physical Address match 5 - Master Down interval 6 - Preemption 7 - Critical IP goes down 8 - User Disabling VRRP 9 - VRRP status synced from primary 10 - IP interface on which VRRP is configured goes down. 11 - Lower Priority Advertisement received 12 - Advertisement received from Higher interface IP address with Equal priority 13 - Advertisement received from Lower interface IP address with Equal priority 14 - User enabled VRRP
15 - Transition because of any other cause
Begin by determining which interfaces are running VRRP.
Make note of the state of each interface (ie. Master or Backup).
Look at the configured parameters, such as VRIDs and IP addresses, for each interface and be sure they match on all VRRP routers. Same vrid should not use at the different vlans.
Capture the VRRP packets and be sure they are coming from the expected router at the expected time interval.
Note : ERS5500 series must have advance licence to configure vrrp.
ARP replies from the VRRP IP address will have a source MAC of the Passport interface (the packet will contain the VRRP MAC).
ICMP echo replies from the VRRP IP address will use the VRRP MAC as the source.**
Packets being routed back through a VRRP interface will use the Passport MAC address as the source MAC.
Note : At ERS8300- ERS8600, it’s advised to configure RSMLT instead of VRRP for the square or full mesh structures.