10.2.2.3. Redundancy Setting with VRRP

Operation Confirmed Version:
 Brocade 5600vRouter Version4.2R1S1

This section describes network redundancy settings with VRRP

What is VRRP (Virtual Router Redundancy Protocol)?

With this protocol, only one router is recognized by terminals (etc.) connected by making two routers (here, firewall) operate as a single router virtually.
Because of this, two firewall interfaces play different roles, in state referred to as Master and Backup.
A connected terminal can communicate by specifying the default gateway for a virtual IP address created with VRRP, without setting the actual IP address of the firewall interface.
Also when the firewall in Master state cannot forward packets due to any failure, the firewall in Backup state automatically shifts to Master state, so that communications from the terminal can be continued.

Note

  • Before VRRP settings are made with Brocade 5600vRouter, the procedure in ” Registration for communication allowance settings for VRRP ” needs to be performed through ECL2.0 Customer Portal.

  • After making VRRP settings, enable DHCP (address setting function) of the logical network. If the DHCP setting has been disabled, an ARP request is made with source address 0.0.0.0 with respect to the network of NTT Communications. It has been confirmed that in this case, ARP replies are not performed by some appliances.

  • As the default, preempt of VRRP has been enabled (True).

  • When the Packet Filtering function is combined with this setting, be careful that communications (protocol: vrrp) needed for VRRP communications will not be dropped.

    • In particular, in the case where default-action of packet filtering has been set to “drop”, set a rule which explicitly allows the following communications by means of protocol vrrp.

    • set security firewall name [rule name] rule [rule number] protocol vrrp

    • set security firewall name [rule name] rule [rule number] action accept

  • This service does not support asymmetric communications. When using VRRP with multiple interfaces, specify the same value for [SYNC-GROUP NAME], so that VRRP switching is synchronized.

  • For [ADVERTISE INTERVAL], it has been confirmed that VRRP communications become unstable infrequently at the board side, with the initial settings. Set 20 seconds or longer. (Detection: 20 seconds x 3 times, in total) When changing this setting, do it through the firewall in Backup state. If the setting is changed through the firewall in Master state, the interval of Hello packet transmission to the firewall in Backup state changes. As the result, the Backup firewall also shifts to Master state, so that both interfaces stay in Master state.

  • When making VRRP settings for use with another function, also see ‘Operation-confirmed use model <https://ecl.ntt.com/en/documents/tutorials/rsts/networkfunction/index.html>’_, which will be helpful.

Redundancy check with VRRP

Make VRRP settings with two firewall interfaces to form a redundancy configuration.

Presumed case for sample setting

  • To make VRRP settings with two firewall interfaces

  • To set the virtual IP address to “172.16.1.33”

  • To use the primary machine having IP address “172.16.1.31” as the master one when normal

  • To make the secondary machine having IP address “172.16.1.32” shift to Master when an error occurs

  • To set the detection time for switching, to 60 seconds

  • To make a setting for letting the primary machine automatically switch back following recovery from a failure which caused switching

Configuration diagram

Setting flow in a presumed case

  • 1.**Determining VRRP group 10 and virtual IP address “172.16.1.33” and making VRRP settings through Customer Portal**

  • 2.Making VRRP settings on interface "dp0s4" and setting the VRRP group as 10 .
  • 3.Setting the priority value for using the primary machine as the Master, to 200

  • 4.Setting the priority value for using the secondary machine as the Backup, to 150

  • 5.Setting the Master-side failure detection time to ** 60 seconds ** (response waiting for 20 seconds, three times)

  • 6.Setting for switching the primary machine back following recovery of its communications, when the secondary machine is in Master state

  • 7.To use the MAC address defined with RFP, as a virtual IP address

Command to be entered with CLI

Primary firewall machine
set interface dataplane dp0s4 vrrp vrrp-group 10 virtual-address '172.16.1.33'
set interface dataplane dp0s4 vrrp vrrp-group 10 priority '200'
set interface dataplane dp0s4 vrrp vrrp-group 10 advertise-interval '20'
set interface dataplane dp0s4 vrrp vrrp-group 10 preempt 'true'
set interface dataplane dp0s4 vrrp vrrp-group 10 'rfc-compatibility'
Secondary firewall machine
set interface dataplane dp0s4 vrrp vrrp-group 10 virtual-address '172.16.1.33'
set interface dataplane dp0s4 vrrp vrrp-group 10 priority '150'
set interface dataplane dp0s4 vrrp vrrp-group 10 advertise-interval '20'
set interface dataplane dp0s4 vrrp vrrp-group 10 preempt 'true'
set interface dataplane dp0s4 vrrp vrrp-group 10 'rfc-compatibility'

Note

The IP address of each interface (dp0s4) is to be set through the Customer Portal, and thus entry with CLI is not needed.

The configuration after completion of appropriate settings is as follows.
Primary firewall machine (Master)
interfaces {
 dataplane dp0s4 {
   address 172.16.1.31/24
   vrrp {
     vrrp-group 10 {
       advertise-interval 20
       preempt true
       priority 200
       rfc-compatibility
       virtual-address 172.16.1.33
     }
   }
 }
}
Secondary firewall machine (Backup)
interfaces {
 dataplane dp0s4 {
   address 172.16.1.32/24
   vrrp {
     vrrp-group 10 {
       advertise-interval 20
       preempt true
       priority 150
       rfc-compatibility
       virtual-address 172.16.1.33
     }
   }
 }
}

Operation check result

It was confirmed that the two firewall interfaces were placed into Master and Backup state as expected
and it was also confirmed through the connected terminal that communications forwarded from the terminal to the virtual IP address (here, 172.16.1.33) were possible.
Therefore, the adequacy of the VRRP settings were confirmed.
.

Primary firewall machine (Master)
user-admin@FW-01:~$ show vrrp

                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s4             10     MASTER  dp0vrrp1   no     10h19m18s   <none>
Secondary firewall machine (Backup)
user-admin@FW-02:~$ show vrrp

                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s4             10     BACKUP  dp0vrrp1   no     10h14m10s   <none>
Communications forwarded from the terminal to the virtual IP address
#172.16.1.2から172.16.1.33(VIP)通信 -> OK

test@localhost:~$ ping -c 5 172.16.1.33
PING 172.16.1.33 (172.16.1.33) 56(84) bytes of data.
64 bytes from 172.16.1.33: icmp_seq=1 ttl=64 time=1.66 ms
64 bytes from 172.16.1.33: icmp_seq=2 ttl=64 time=0.908 ms
64 bytes from 172.16.1.33: icmp_seq=3 ttl=64 time=0.855 ms
64 bytes from 172.16.1.33: icmp_seq=4 ttl=64 time=0.824 ms
64 bytes from 172.16.1.33: icmp_seq=5 ttl=64 time=0.685 ms

--- 172.16.1.33 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 0.685/0.987/1.667/0.349 ms

Checking VRRP switching

With the settings made above, stop VRRP on the machine in Master state and check that the machine in Backup state is switched to Master state
and also that communications from the terminal can be continued.

Configuration diagram

Command to be entered with CLI

To forcibly cause switching, stop VRRP with configuration.
set interface dataplane dp0s4 vrrp vrrp-group 10 disable

VRRP status of each machine

With synchronization made after VRRP setting, the VRRP information is as follows.

Primary firewall machine (Master)
user01@FW01:~$ sho vrrp detail
--------------------------------------------------
Interface: dp0s4
--------------
  Group: 10
  ----------
  State:                        MASTER
  Last transition:              7h37m47s

  Version:                      2
  RFC Compliant
  Virtual MAC interface:        dp0vrrp1
  Address Owner:                no

  Source Address:               172.16.1.31
  Configured Priority:          200
  Effective Priority:           200
  Advertisement interval:       20 sec
  Authentication type:          none
  Preempt:                      enabled

  VIP count:                    1
    172.16.1.33/32

user01@FW01:~$
Secondary firewall machine (Backup)
user01@FW02:~$ show vrrp detail
--------------------------------------------------
Interface: dp0s4
--------------
  Group: 10
  ----------
  State:                        BACKUP
  Last transition:              7h37m43s

  Master router:                172.16.1.31
  Master priority:              200

  Version:                      2
  RFC Compliant
  Virtual MAC interface:        dp0vrrp1
  Address Owner:                no

  Source Address:               172.16.1.32
  Configured Priority:          150
  Effective Priority:           150
  Advertisement interval:       20 sec
  Authentication type:          none
  Preempt:                      enabled

  VIP count:                    1
    172.16.1.33/32

user01@FW02:~$

VRRP status of each machine after stop of the Master-side machine

Following stop of VRRP on the primary machine, VRRP advertisement from the Master side stops.
Therefore, the Backup side recognizes failure on the master side and switches its state.
With status check, it was confirmed that the secondary machine was in Master state and communications forwarded from the terminal to the virtual IP address were possible.
VRRP switching was also confirmed.

Primary firewall machine (VRRP is in halt.)
user01@FW01:~$ show vrrp detail
--------------------------------------------------
user01@FW01:~$
user01@FW01:~$

Note

Because VRRP has been halted, status check cannot be made.

Secondary firewall machine (From Backup to Master)
user01@FW02:~$ show vrrp detail
--------------------------------------------------
Interface: dp0s4
--------------
  Group: 10
  ----------
  State:                        MASTER
  Last transition:              27s

  Version:                      2
  RFC Compliant
  Virtual MAC interface:        dp0vrrp1
  Address Owner:                no

  Source Address:               172.16.1.32
  Configured Priority:          150
  Effective Priority:           150
  Advertisement interval:       20 sec
  Authentication type:          none
  Preempt:                      enabled

  VIP count:                    1
    172.16.1.33/32

user01@FW02:~$
Communications forwarded from the terminal to the virtual IP address (After occurrence of switching)
#172.16.1.2から172.16.1.33(VIP)通信 -> OK

test@localhost:~$ ping -c 5 172.16.1.33
PING 172.16.1.33 (172.16.1.33) 56(84) bytes of data.
64 bytes from 172.16.1.33: icmp_seq=1 ttl=64 time=1.47 ms
64 bytes from 172.16.1.33: icmp_seq=2 ttl=64 time=0.738 ms
64 bytes from 172.16.1.33: icmp_seq=3 ttl=64 time=0.722 ms
64 bytes from 172.16.1.33: icmp_seq=4 ttl=64 time=0.739 ms
64 bytes from 172.16.1.33: icmp_seq=5 ttl=64 time=0.579 ms

--- 172.16.1.33 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.579/0.851/1.479/0.320 ms