The VRRP solves the task of reserving the L3 interface, which acts as the next-hop for IPv4 routes. The principle of the protocol implies the presence in the segment of a number of routers, one of which acts as the owner of a common virtual IP address. The rest of the routers are reserve and assume the role of the master only if the original master is out of order. In this case, all devices listen for incoming traffic for service VRRP messages and compare their own priority value with the corresponding values in neighbor messages.

The router with a biggest priority value becomes master.

The only master router has a right to process transit traffic sent to the common virtual MAC address. Only this master router also has the exclusive right to respond to ARP requests addressed to the virtual IP address owner.

Basic setup

Perform the following steps to basic setup of VRRP.

Step 1. Use the router vrrp <VRRP-ID> <NAME> command to change the mode from configuration to protocol context cofiguration mode, where VRRP-ID - the group number from range from 1 to 255, NAME - the interface name, which participates in a group.

Step 2. Use the virtual-ip <IPv4> command to specify IP-addres which will be used as a virtual. If the master role to be assigned to a particular router, for example, with a greatest performance in a segment, it is convenient to specify a virtual IP equal to the real transport address. Thus the priority value automatically becomes 255, which means unconditional acceptance of the master role in case of the device's correct operation.

Step 3. If necessary use the priority <VALUE> command to specify router priority value. The value must be in range from 1 to 254, the default value is 100.

Step 4. Use the enable command to activate the protocol.

After the protocol is enabled it should be stopped after each using the disable command.

Additional functions

The VRRP realized in EcoRouterOS also supports a number of features described below.

The preempt-mode function

In need of a failed master router return to work ignoring the fact that the assigned priority value is higher than the current master's, disable the preemtion mode using the the preempt-mode false command. Thus a router with a higher priority will not announce itself, which would otherwise displace the current master. To restore the preemtion mode, use the preempt-mode true command.

The switch-back-delay function

Use the switch-back-delay <1-500000> command to specify the delay time which returned router with a higher priority will not announce itself. The delay period is 1-500000 ms. This function is not an addition to the preempt-mode function but can be used as an alternative to avoid frequent role changing in unstable topology.

The circuit-failover function

To monitor the status of a specific interface of the router, which failure requires to change the role of the device, use the circuit-failover <observed interface name> <priority decrement> command , where the <priority decrement> is the step by which the priority value of the router decreases. An example of using this function is to monitor the state of connections with higher priority routers. In case of a VRRP master, losing a connection to such a router results in the device can not handle traffic and is forced to transfer its role to a neighbor.

The accept-mode function

According to RFC 5798, by default, the master router discards traffic addressed to the virtual IP address directly. However, in some cases it is necessary such traffic to be processed. To change the default behavior, use the accept-mode {false | true} command. The use of the true argument enables the traffic addressed to the virtual IP processing mode. The false argument disables this mode.

The advertisement-interval function

Use the advertisement-interval <5-4096> command to specify the interval of VRRP messages sending. The duration is expressed in centi-seconds (1 cs = 0.01 s).

The vrrp vmac function

According to RFC 5798, by default, the virtual MAC address is specified in the Ethernet-header of the service VRRP messages in the Source MAC Address field. In order to increase the efficiency of diagnostics, the value of the real MAC-address of the device that generated the service package can be specified in the Source MAC Address field. Use the vmac {enable | disable} command in the configuration mode to configure this parameter.

Supported protocol versions

At the moment the 3 versions of the VRRP protocol exist, of which only v2 and v3 are actually used, and for a number of reasons, the most relevant is v2. The EcoRouterOS supports both versions of the protocol, the v3 is used by default.

To use the EcoRouter in the same domain with routers not supporting VRRP v3, the v2 support in EcoRouterOS must be enabled. To do this, follow these two steps:

• use the ecorouter(config)#vrrp compatible-v2 command in the configuration mode;
• use the ecorouter(config-router)#v2-compatible command in the context protocol configuration mode for the selected interface.

The EcoRouter will transmit VRRP announcements v2 and v3 at the same time, that is, two messages once per interval. Similar to the announcement, the router will process and take into account all service messages from its neighbors, including messages in the v3 format. To avoid design errors, only one version of the protocol on all routers of other vendors located in the same VRRP domain with EcoRouter must be used. Here the VRRP-domain means a plurality of routers serving a common virtual IP address in a specific local segment and announcing a common VRRP-ID value.

Configuration example

The VRRP protocol is often used to reserve the default gateway in the user's network segment. In this case, user hosts have a minimal configuration of the IP protocol, assuming that there are a small number of networks connected directly, and the router as a node serving the traffic transfer in the direction of all other destinations. If a segment is served by only one router, its failure to the end nodes means that traffic outside the segment will not be sent. The use of two routers with the same value of the IP address leads to conflict in the absence of additional controls. The VRRP protocol allows to resolve this problem.

In the above topology two routers are used for the VRRP-protocol in the subnet: the EcoRouter and the router of another vendor (OtherVendorRouter). The R2 router is a border router for AS node and serves as a default gateway for both routers implementing the VRRP protocol. Its configuration does not enable the VRRP, so it is beyond the scope of this article. Both VRRP routers are connected to the L2 segment which handles the subnet 192.168.0.0/24. In this segment, there is a destination host that has two route entries: a route to the directly connected network 192.168.0.0/24, and a default route where the device with address 192.168.0.1 acts as the gateway. On the router of another vendor, the minimal configuration is implemented, supporting the VRRP v2 operation, in which the priority value of the router is default (100), the value of the maintained virtual IP is 192.168.0.1, and the segment ID is 1. Its own IP-address is 192.168.0.3. The EcoRouter also acts as a VRRP router, but it has a more complex configuration, which involves the operation of the VRRP v2, the user defined higher priority, time delay on return, and the e1 interface monitoring.

The EcoRouter configuring:

Specify device's name.

ecorouter(config):hostname EcoRouter

Enable VRRP

ecorouter(config)#vrrp compatible-v2 enable

Enable protocol, specifying group and interface name.

ecorouter(config)#router vrrp 1 e0

Specify the virtual address.

virtual-ip 192.168.0.1

Specify router's priority.

ecorouter(config-router)#priority 150

Enable interface tracking.

ecorouter(config-router)#circuit-failover e1 100

Specify delay period after which promoting will be restored.

ecorouter(config-router)#switch-back-delay 5000

Enable VRRP v2 compatibility.

ecorouter(config-router)#v2-compatible

Configure interfaces and ports.

ecorouter(config)#interface e0

ecorouter(config-if)#ip address 192.168.0.2/24

ecorouter(config)#interface e1

ecorouter(config-if)#ip address 192.168.100.2/24

ecorouter(config)#port ge0/0

ecorouter(config-port)#service-instance ge0/0-e0

ecorouter(config-service-instance)#encapsulation untagged

ecorouter(config-service-instance)#connect ip interface e0

ecorouter(confige)#port ge0/1

ecorouter(config-port)#service-instance ge0/1-e0

ecorouter(config-service-instance)#encapsulation untagged

ecorouter(config-service-instance)#connect ip interface e1

As a result of actions described above the EcoRouter will be selected as the master (due to a higher priority value). In the future, if its interface "e1", used to connect to the R2 router, can not continue to transmit traffic, the priority of EcoRouter will be lowered to a value of 50.

In this case the second router's priority will become the greatest in the segment, and it will be able to continue processing traffic until EcoRouter returns.

When communication with the upstream router is restored, EcoRouter will enable a 5 seconds switch-back-delay timer, after which it will start broadcasting VRRP messages, forcing the neighbor to change the role and stop responding to the ARP requests sent to the 192.168.0.1 IP address.

Known specificity of EcoRouter interaction with other manufacturers equipment

Implementation of the VRRP protocol in EcoRouterOS seeks maximum compliance with RFC documentation, but there are a number of issues related to both the implementation of EcoRouterOS and the implementation of other manufacturers, which may lead to unexpected behavior for the user:

• according to RFC 5798, when a backup router when receives service messages from neighbors it takes into account only the priority value. The value of the transport address is taken into account only by master routers. However, this principle can be violated by other manufacturers, which may cause two or more routers serving one segment can take the role of master with all the ensuing conflicts;
• according to RFC 5798, a backup router should not process traffic sent to a common virtual MAC address. In EcoRouterOS, this principle is observed, what should be considered in the design of the network as well as the behavior of routers of other manufacturers;
• in the implementation of EcoRouterOS there is no possibility of authorization in VRRP;
• in the implementation of EcoRouterOS there is no possibility to announce a number of IP-addresses as virtual ones.