[Dr.WoW] [No.48] The Story of VRRP and VGMP-part 1

Latest reply: Jan 6, 2016 08:25:44 4546 1 0 0

For readers familiar with routers and switches, the VRRP protocol will certainly be the first to spring to mind when network dual device deployment is mentioned, and the firewall hot standby function is actually an expansion on the foundation provided by the VRRP protocol. Therefore, as I explain the story of VGMP and VRRP step by step in this section, I will first discuss VRRP, and then introduce VGMP from this basis.

1 VRRP Overview

In the router or firewall hot standby networking discussed in the above section, whether traffic was directed to the primary or backup device was decided by the upstream and downstream devices' routing tables. This is because dynamic routing can dynamically adjust routing tables according to link states to automatically direct traffic onto the correct device. However, what if the upstream and downstream devices are using static routing? This is indeed a problem, as dynamic adjustments cannot be made in static routing.

Let's look at an example of this below. As shown in Figure 1-1, the router is configured as the default gateway on the hosts on the internal network. Therefore, when the hosts want to access the Internet, it will first send a packet to the gateway, and the packet will then be sent by the gateway to the Internet. However, when the gateway fails, communication between the hosts and the Internet will be interrupted.

Figure 1-1 A single gateway failure resulting in service interruption

[Dr.WoW] [No.48] The Story of VRRP and VGMP-part 1-1038943-1 

As shown in Figure 1-2, if we want to solve the problem of network interruptions, we need to add multiple gateways (Router 1 and Router 2). However, the dynamic routing cannot be configured on hosts. Only a default gateway can be specified on the hosts. If we configure Router 1 as the default gateway, then when Router 1 fails, traffic will not be automatically directed to Router 2. At this time, only manually changing the host's default gateway to Router 2 will allow the host's traffic to be directed to Router 2. However, this will certainly result in the interruption of the host's traffic accessing the Internet for a period of time. Moreover, in large networks, there may be hundreds of hosts, and manually adjusting the network to achieve gateway failover is clearly not realistic.

Figure 1-2 Multiple gateways cannot guarantee uninterrupted service

[Dr.WoW] [No.48] The Story of VRRP and VGMP-part 1-1038943-2 

In order to better resolve the problem of network interruptions occurring due to gateway failures, network developers have developed the VRRP protocol. The VRRP protocol is a kind of fault-tolerant protocol, and guarantees that when a failure occurs on a host's next hop router (the default gateway), a backup router will automatically replace the failed router in completing packet forwarding tasks, thereby maintaining continuous and reliable network communication.

In Figure 1-3, we've assigned a group of routers (actually these are the routers' downstream interfaces) from within a LAN together, forming a VRRP group. VRRP groups are equivalent to a virtual router which has its own virtual IP address and virtual MAC address (format:00-00-5E-00-01-{VRID}, where VRID is the VRRP group's ID). Therefore, the hosts within the LAN can configure their default gateway as the VRRP group's virtual IP address. The hosts within the LAN 'think' they are communicating with the virtual router and using the virtual router to communicate with the external network.

Figure 1-3 VRRP basics

[Dr.WoW] [No.48] The Story of VRRP and VGMP-part 1-1038943-3 

The routers in a VRRP group will determine their own state in the VRRP group based on the priority specified by the administrator. The highest priority state is Master, and the other state is Backup. A router whose state is Master is called the master router, and a router whose state is Backup is called the backup router. When the master router is operating normally, hosts within the LAN will communicate with the external world through the master router. If the master router fails, a backup router (the one with the next highest VRRP priority) will become the new master router and take over the work of forwarding packets, guaranteeing that the network is not interrupted.

2 VRRP Working Mechanisms

Here, I will use visual aids to demonstrate the entire process of VRRP operations, in order to help readers in understanding VRRP's implementation principles. So long as you look through the below figures in their entirety and commit them to memory, you will assuredly understand and remember the VRRP protocol.

1.         After the administrator finishes configuring the VRRP group and priorities on routers, the VRRP group will temporarily work in the Initialize state. As shown in Figure 1-4, after the VRRP group receives the messages indicating that the interfaces have been brought up, the group's routers switch into the Backup state, and wait for their timers to elapse to switch into the Master state.

Figure 1-4 VRRP group states' switching from Initialize to Backup

[Dr.WoW] [No.48] The Story of VRRP and VGMP-part 1-1038943-4 

As shown in Figure 1-5, of the VRRP group's routers, the first router to change its state to Master will become the master router. The router with the highest priority in a VRRP group will have the shortest timer, meaning it is easiest for this router to become the master router. This process is called the master router election.

After a successful election, the master router will immediately send periodic (the default is one second) VRRP packets to all backup routers in the VRRP group to notify them of its own Master state and priority.

Figure 1-5 Electing the master router

[Dr.WoW] [No.48] The Story of VRRP and VGMP-part 1-1038943-5 

2.         The master router will also send a gratuitous ARP packet to notify the switch connected to it of the VRRP group's virtual MAC address and virtual IP address; this is shown in Figure 1-6. An entry will be made in the downstream switch's MAC table recording the relationship between the virtual MAC address and port Eth0/0/1.

Figure 1-6 The master router sending a gratuitous ARP packet

[Dr.WoW] [No.48] The Story of VRRP and VGMP-part 1-1038943-6 

3.         As shown in Figure 1-7, since the gateway on the intranet's PC is set to the virtual IP address of VRRP group 1, when an intranet PC accesses the Internet, it will first broadcast ARP packets in the broadcast network to request the virtual MAC address that corresponds with the virtual IP address. At this point, only the master router will respond to this ARP packet by giving its virtual MAC address to the PC.

Figure 1-7 Master router responding to the PC's ARP request packet

[Dr.WoW] [No.48] The Story of VRRP and VGMP-part 1-1038943-7 

4.         As shown in Figure 1-8, the PC uses the virtual MAC address as the destination MAC address for encapsulating packets, and then sends a packet to the switch. The switch forwards the packet sent by the PC through port Eth0/0/1 to Router 1 according to the MAC address and port relationship recorded in the MAC table.

Figure 1-8 A downstream switch sending a packet to the master router

[Dr.WoW] [No.48] The Story of VRRP and VGMP-part 1-1038943-8 

The above description is of the establishment of the master router and backup router(s) states and their operating processes. Below, we'll introduce state switching and related operational processes for the master router and the backup router.

1.         As shown in Figure 1-9, when the master router fails (a failure of the entire Router 1 device or a failure on interface GE1/0/1), it will be unable to send a VRRP packet to notify the backup router of the failure. If the backup router(s) has not received a VRRP packet sent by the master router before the time expires, it will deem this to mean that the master router has failed, and will therefore switch its own state to Master.

Figure 1-9 VRRP state switching

[Dr.WoW] [No.48] The Story of VRRP and VGMP-part 1-1038943-9 

There is also another scenario: if the master router abandons its position as Master (for example the master router withdraws from the VRRP group), it will immediately send a VRRP packet with a priority of 0, causing the backup router to quickly switch to become the master router.

2.         As shown in Figure 1-10, after the completion of state switching, the new master router will immediately send a gratuitous ARP packet carrying the VRRP group's virtual MAC address and virtual IP address, to refresh the MAC table entries for the device connected to it (the downstream switch). The relationship between the virtual MAC address and the new port Eth0/0/2 will be recorded in the downstream switch's MAC table.

Figure 1-10 The new master router sending a gratuitous ARP packet

[Dr.WoW] [No.48] The Story of VRRP and VGMP-part 1-1038943-10 

3.         As shown in Figure 1-11, after the intranet PC sends a packet to the switch, the switch will forward the packet sent by the PC through port Eth0/0/2 to Router 2. Therefore, the intranet PC's traffic is all forwarded through the new master router, Router 2. This process is completely transparent to the user, and the intranet PC does not perceive that the master router has already switched from Router 1 to Router 2.

Figure 1-11 The downstream switch sending a packet to the new master router

[Dr.WoW] [No.48] The Story of VRRP and VGMP-part 1-1038943-11 

4.         In Figure 1-12, when the failure on the original master router (the current backup router) is fixed, this router's priority will be higher than the current master router. At this time, if the preemption function has been enabled, the original master router will change its state to Master after the preemption timer expires and becomes the master router again; if the preemption function has not been enabled, the original master router will continue to maintain its Backup state.

Figure 1-12 Original master router preemption after a failure is fixed

[Dr.WoW] [No.48] The Story of VRRP and VGMP-part 1-1038943-12 

3 Issues Created by Multiple, Independent VRRP States

The above section explained how running VRRP on a gateway's downstream interface can ensure gateway availability. But what would happen if we run VRRP simultaneously on both a gateway's upstream and downstream interfaces?

In Figure 1-13, two devices' downstream interfaces join VRRP group 1, and their upstream interfaces join VRRP group 2. Under normal circumstances, R1's state is Master in VRRP group 1, and its VRRP group 2's status is Master, so R1 is the master router in both VRRP group 1 and VRRP group 2. As we learned above when discussing VRRP principles, all service packets between the intranet and an external network will therefore be forwarded through R1.

Figure 1-13 Multiple VRRPs operating simultaneously

[Dr.WoW] [No.48] The Story of VRRP and VGMP-part 1-1038943-13 

When R1's GE1/0/1 interface fails, R1's state in VRRP group 1 switches to Initialize, and R2's state in VRRP group 1 switches to Master. R2 therefore becomes the master router in VRRP group 1, and sends a gratuitous ARP packet to LSW1, refreshing the MAC table in LSW1; at this point PC1's packets accessing PC2 will be forwarded through R2. However, as the link between R1 and LSW2 is operating normally, R1 is still the master router in VRRP group 2, while R2 is still the backup router in VRRP group 2. Therefore, the return packets sent from PC2 to PC1 will still be forwarded to R1. However, as R1's downstream interface GE1/0/1 has failed, R1 can only discard these return packets, resulting in an interruption of service traffic.

After finishing reading through this process, readers will certainly have discovered the problem with VRRP: VRRP groups are independent of one another, meaning that when there are multiple VRRP groups on one device, their states can't be backed up.

Huawei's firewalls, routers, switches and other network devices have a unique method of solving this VRRP problem. Below, we'll focus on introducing how Huawei's firewalls resolve this problem.



To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

Created Jan 6, 2016 08:25:44 Helpful(0) Helpful(0)

Thank you for sharing.
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits