10.2.2.3. Redundancy Setting with VRRP¶
Operation Confirmed Version: | |
---|---|
Brocade 5600vRouter Version4.2R1S1 |
This section describes network redundancy settings with VRRP
What is VRRP (Virtual Router Redundancy Protocol)?
Note
Before VRRP settings are made with Brocade 5600vRouter, the procedure in ” Registration for communication allowance settings for VRRP ” needs to be performed through ECL2.0 Customer Portal.
After making VRRP settings, enable DHCP (address setting function) of the logical network. If the DHCP setting has been disabled, an ARP request is made with source address 0.0.0.0 with respect to the network of Service Provider. It has been confirmed that in this case, ARP replies are not performed by some appliances.
As the default, preempt of VRRP has been enabled (True).
When the Packet Filtering function is combined with this setting, be careful that communications (protocol: vrrp) needed for VRRP communications will not be dropped.
In particular, in the case where default-action of packet filtering has been set to “drop”, set a rule which explicitly allows the following communications by means of protocol vrrp.
set security firewall name [rule name] rule [rule number] protocol vrrp
set security firewall name [rule name] rule [rule number] action accept
This service does not support asymmetric communications. When using VRRP with multiple interfaces, specify the same value for [SYNC-GROUP NAME], so that VRRP switching is synchronized.
For [ADVERTISE INTERVAL], it has been confirmed that VRRP communications become unstable infrequently at the board side, with the initial settings. Set 20 seconds or longer. (Detection: 20 seconds x 3 times, in total) When changing this setting, do it through the firewall in Backup state. If the setting is changed through the firewall in Master state, the interval of Hello packet transmission to the firewall in Backup state changes. As the result, the Backup firewall also shifts to Master state, so that both interfaces stay in Master state.
When making VRRP settings for use with another function, also see ‘Operation-confirmed use model <https://ecl.ntt.com/en/documents/tutorials/rsts/networkfunction/index.html>’_, which will be helpful.
Redundancy check with VRRP¶
Presumed case for sample setting
To make VRRP settings with two firewall interfaces
To set the virtual IP address to “172.16.1.33”
To use the primary machine having IP address “172.16.1.31” as the master one when normal
To make the secondary machine having IP address “172.16.1.32” shift to Master when an error occurs
To set the detection time for switching, to 60 seconds
To make a setting for letting the primary machine automatically switch back following recovery from a failure which caused switching
Setting flow in a presumed case
1.**Determining VRRP group 10 and virtual IP address “172.16.1.33” and making VRRP settings through Customer Portal**
- 2.Making VRRP settings on interface "dp0s4" and setting the VRRP group as 10 .
3.Setting the priority value for using the primary machine as the Master, to 200
4.Setting the priority value for using the secondary machine as the Backup, to 150
5.Setting the Master-side failure detection time to ** 60 seconds ** (response waiting for 20 seconds, three times)
6.Setting for switching the primary machine back following recovery of its communications, when the secondary machine is in Master state
7.To use the MAC address defined with RFP, as a virtual IP address
Command to be entered with CLI
set interface dataplane dp0s4 vrrp vrrp-group 10 virtual-address '172.16.1.33'
set interface dataplane dp0s4 vrrp vrrp-group 10 priority '200'
set interface dataplane dp0s4 vrrp vrrp-group 10 advertise-interval '20'
set interface dataplane dp0s4 vrrp vrrp-group 10 preempt 'true'
set interface dataplane dp0s4 vrrp vrrp-group 10 'rfc-compatibility'
set interface dataplane dp0s4 vrrp vrrp-group 10 virtual-address '172.16.1.33'
set interface dataplane dp0s4 vrrp vrrp-group 10 priority '150'
set interface dataplane dp0s4 vrrp vrrp-group 10 advertise-interval '20'
set interface dataplane dp0s4 vrrp vrrp-group 10 preempt 'true'
set interface dataplane dp0s4 vrrp vrrp-group 10 'rfc-compatibility'
Note
The IP address of each interface (dp0s4) is to be set through the Customer Portal, and thus entry with CLI is not needed.
interfaces {
dataplane dp0s4 {
address 172.16.1.31/24
vrrp {
vrrp-group 10 {
advertise-interval 20
preempt true
priority 200
rfc-compatibility
virtual-address 172.16.1.33
}
}
}
}
interfaces {
dataplane dp0s4 {
address 172.16.1.32/24
vrrp {
vrrp-group 10 {
advertise-interval 20
preempt true
priority 150
rfc-compatibility
virtual-address 172.16.1.33
}
}
}
}
Operation check result
user-admin@FW-01:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
dp0s4 10 MASTER dp0vrrp1 no 10h19m18s <none>
user-admin@FW-02:~$ show vrrp
RFC Addr Last Sync
Interface Group State Compliant Owner Transition Group
--------- ----- ----- --------- ----- ---------- -----
dp0s4 10 BACKUP dp0vrrp1 no 10h14m10s <none>
#172.16.1.2から172.16.1.33(VIP)通信 -> OK
test@localhost:~$ ping -c 5 172.16.1.33
PING 172.16.1.33 (172.16.1.33) 56(84) bytes of data.
64 bytes from 172.16.1.33: icmp_seq=1 ttl=64 time=1.66 ms
64 bytes from 172.16.1.33: icmp_seq=2 ttl=64 time=0.908 ms
64 bytes from 172.16.1.33: icmp_seq=3 ttl=64 time=0.855 ms
64 bytes from 172.16.1.33: icmp_seq=4 ttl=64 time=0.824 ms
64 bytes from 172.16.1.33: icmp_seq=5 ttl=64 time=0.685 ms
--- 172.16.1.33 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 0.685/0.987/1.667/0.349 ms
Checking VRRP switching¶
Command to be entered with CLI
set interface dataplane dp0s4 vrrp vrrp-group 10 disable
VRRP status of each machine
user01@FW01:~$ sho vrrp detail
--------------------------------------------------
Interface: dp0s4
--------------
Group: 10
----------
State: MASTER
Last transition: 7h37m47s
Version: 2
RFC Compliant
Virtual MAC interface: dp0vrrp1
Address Owner: no
Source Address: 172.16.1.31
Configured Priority: 200
Effective Priority: 200
Advertisement interval: 20 sec
Authentication type: none
Preempt: enabled
VIP count: 1
172.16.1.33/32
user01@FW01:~$
user01@FW02:~$ show vrrp detail
--------------------------------------------------
Interface: dp0s4
--------------
Group: 10
----------
State: BACKUP
Last transition: 7h37m43s
Master router: 172.16.1.31
Master priority: 200
Version: 2
RFC Compliant
Virtual MAC interface: dp0vrrp1
Address Owner: no
Source Address: 172.16.1.32
Configured Priority: 150
Effective Priority: 150
Advertisement interval: 20 sec
Authentication type: none
Preempt: enabled
VIP count: 1
172.16.1.33/32
user01@FW02:~$
VRRP status of each machine after stop of the Master-side machine
user01@FW01:~$ show vrrp detail
--------------------------------------------------
user01@FW01:~$
user01@FW01:~$
Note
Because VRRP has been halted, status check cannot be made.
user01@FW02:~$ show vrrp detail
--------------------------------------------------
Interface: dp0s4
--------------
Group: 10
----------
State: MASTER
Last transition: 27s
Version: 2
RFC Compliant
Virtual MAC interface: dp0vrrp1
Address Owner: no
Source Address: 172.16.1.32
Configured Priority: 150
Effective Priority: 150
Advertisement interval: 20 sec
Authentication type: none
Preempt: enabled
VIP count: 1
172.16.1.33/32
user01@FW02:~$
#172.16.1.2から172.16.1.33(VIP)通信 -> OK
test@localhost:~$ ping -c 5 172.16.1.33
PING 172.16.1.33 (172.16.1.33) 56(84) bytes of data.
64 bytes from 172.16.1.33: icmp_seq=1 ttl=64 time=1.47 ms
64 bytes from 172.16.1.33: icmp_seq=2 ttl=64 time=0.738 ms
64 bytes from 172.16.1.33: icmp_seq=3 ttl=64 time=0.722 ms
64 bytes from 172.16.1.33: icmp_seq=4 ttl=64 time=0.739 ms
64 bytes from 172.16.1.33: icmp_seq=5 ttl=64 time=0.579 ms
--- 172.16.1.33 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.579/0.851/1.479/0.320 ms