With the rapid development of the Internet, the number of network-based applications has gradually increased. This puts forward increasingly high requirements on the reliability of the network. Spending investment in updating all network equipment is of course a good reliability solution; but from the perspective of protecting existing investments, we can adopt the idea of cheap and redundant to find a balance between reliability and economy.
Virtual routing redundancy protocol is a good solution. In this protocol, redundant backup of the default gateway of the terminal IP device on shared multi-access access media (such as Ethernet), so that when one of the routing devices goes down, the backup routing device takes over the forwarding work in a timely manner, providing users with transparent switching, and improving network service quality.
1. Agreement Overview
In a network based on the TCP/IP protocol, a route must be specified in order to ensure communication between devices that are not directly physically connected. There are two commonly used methods to specify routing: one is to pass the routing protocol (such as internal routing protocol)RIPand OSPF) dynamic learning; the other is static configuration. It is unrealistic to run a dynamic routing protocol on every terminal. Most client operating system platforms do not support dynamic routing protocols. Even if they support it, they are limited by many issues such as management overhead, convergence, and security. Therefore, static routing configuration for terminal IP devices is generally adopted, and one or more default gateways are generally specified to the terminal device. The static routing approach simplifies the complexity of network management and reduces the communication overhead of end devices, but it still has one disadvantage: if the router as the default gateway is damaged, all communications using the gateway for the next hop host will inevitably be interrupted. Even if multiple default gateways are configured, if the terminal device is not restarted, you cannot switch to a new gateway. Using Virtual Router Redundancy Protocol (VRRP for short) can avoid the defects of statically specified gateways.
In the VRRP protocol, there are two important sets of concepts: VRRP router and virtual router, master router and backup router. A VRRP router refers to a router running VRRP, which is a physical entity, and a virtual router refers to the VRRP protocol created and is a logical concept. A group of VRRP routers work together to form a virtual router. The virtual router appears externally as a logical router with a unique fixed IP address and MAC address. Routers in the same VRRP group have two mutually exclusive roles: the master router and the backup router. There is only one router in a VRRP group that is in the master role, and can have one or more routers in the backup role. The VRRP protocol uses the selection policy to select one from the router group as the master, responsible for ARP corresponding and forwarding IP packets, and other routers in the group are on standby as backup roles. When the master router fails for some reason, the backup router can be upgraded to the master router after a few seconds. Since this switching is very fast and does not require changing the IP address and MAC address, it is transparent to the terminal user system.
2. Working principle
A VRRP router has a unique identifier: VRID, with a range of 0-255. The router is externally represented as a unique virtual MAC address, and the address format is 00-00-5E-00-01-[VRID]. The master router is responsible for responsive to ARP requests using this MAC address. In this way, no matter how the switching is switched, it ensures that the terminal device is given the unique and consistent IP and MAC address, reducing the impact of the switching on the terminal device.
There is only one VRRP control message: VRRP advertisement. It uses IP multicast packets for encapsulation, with a group address of 224.0.0.18, and the release range is limited to the same LAN. This ensures that VRID can be reused in different networks. In order to reduce network bandwidth consumption, only the master router can periodically send VRRP notification messages. The backup router starts a new round of VRRP elections after failing to receive VRRP within three consecutive announcement intervals or receiving an announcement with priority 0.
In the VRRP router group, the master router is elected according to priority, and the priority range in the VRRP protocol is 0-255. If the IP address of the VRRP router is the same as the interface IP address of the virtual router, the virtual router is called the IP address owner in the VRRP group; the IP address owner automatically has the highest priority: 255. Priority 0 is generally used when the IP address owner actively abandons the role of the master. The configurable priority range is 1-254. Priority configuration principles can be set based on link speed and cost, router performance and reliability, and other management policies. In the election of the master router, the high priority virtual router wins, so if there is an IP address owner in the VRRP group, it always appears as the role of the master router. For candidate routers with the same priority, elect in order of IP address size. VRRP also provides a priority preemption strategy. If this policy is configured, a high-priority backup router will deprive the current low-priority master router and become a new master router.
In order to ensure the security of the VRRP protocol, two security authentication measures are provided: plaintext authentication and IP header authentication. Plain text authentication method requirements: When joining a VRRP router group, the same VRID and plain text password must be provided at the same time. It is suitable to avoid configuration errors in the LAN, but it cannot prevent passwords from being obtained through network monitoring. The IP header authentication method provides higher security and can prevent attacks such as message replay and modification.
III. Application examples
The most typical VRRP application: RTA and RTB form a VRRP router group. Assuming that the processing power of RTB is higher than that of RTA, RTB is configured as the IP address owner, and the default gateways of H1, H2, and H3 are set to RTB. Then the RTB becomes the master router, responsible for ICMP redirection, ARP reply and forwarding of IP packets; once the RTB fails, the RTA immediately starts the handover and becomes the master router, thus ensuring transparent and secure handover to customers.
In VRRP applications, when RTA is online, RTB is only used as a backup, does not participate in forwarding work, and the router RTA and link L1 are idle. Through reasonable network design, the dual effects of backup and load sharing can be achieved. Let RTA and RTB belong to two VRRP groups that are backups at the same time: in group 1, RTA is the IP address owner; in group 2, RTB is the IP address owner. Set the default gateway of H1 to RTA; set the default gateway of H2 and H3 to RTB. This not only shares the equipment load and network traffic, but also improves network reliability.
The working mechanism of the VRRP protocol has many similarities with CISCO's HSRP (Hot Standby Routing Protocol). But the main difference between the two is that in CISCO's HSRP, a separate IP address needs to be configured as the address reflected by the virtual router to the outside, and this address cannot be the interface address of any member of the group.
Using the VRRP protocol does not need to transform the current network structure, which maximizes the protection of current investment and requires minimal management costs, but greatly improves network performance and has significant application value.
Article entry: csh Editor in charge: csh