11.2.3.3. VRRP Setting

Operation Confirmed Version:
 vSRX Version15.1X49-D105.1

For vSRX , network redundancy settings can be made with the VRRP function.

VRRP (Virtual Router Redundancy Protocol) is a protocol with which two routers (here, Firewall) are recognized as a single router by a terminal (etc.) which is connected by making two routers virtually work as a single router. Because of it, the roles of the two Firewalls are divided into MASTER and BACKUP. It is possible to make a connected terminal perform communications by specifying the default gateway for a virtual IP address created with VRRP, without setting an actual IP address of Firewall interface. Also when the MASTER side becomes unable to forward packets due to malfunction, the BACKUP side takes over the role of the MASTER, so that communications from the terminal can be continued.

Note

  • To use the VRRP function, VRRP packets need to have been permitted with the zone or interface for which VRRP settings have been made through zone base Firewall configuration.

  • When using VRRP, enable the DHCP function (address setting function) of the logical network to be connected. With the DHCP function disabled, an ARP request is sent from the network of Service Provider, with source address 0.0.0.0. It has been confirmed that in this case an ARP reply is not returned from such products provided by Service Provider as some versions of load balancers and Managed FW/UTM: redundancy by means of VRRP can be affected and communications can be disconnected at the time of switching.

  • To use the VRRP function with vSRX , the procedure in “Editing an allowed address pair” needs to be executed in terms of vSRX created with the customer portal of ECL2.0.

  • When making VRRP settings for use with another function, also see ‘Operation-confirmed use model <https://ecl.ntt.com/en/documents/tutorials/rsts/networkfunction/index.html>’_, which will be helpful.

  • Due to the vSRX specifications, regarding VRRP switching, it takes approximately 7 seconds to complete traffic switching: as the default, approximately 4 seconds are needed besides “Advertise Interval x 3 + 1 second”.

Network redundancy setting with VRRP (VRRP group setting/priority setting)

Make VRRP settings with two Firewalls to create redundant network configuration.

Presumed case for sample setting

  • To make VRRP group settings with two Firewalls

  • To set the virtual IP address to 192.168.1.100.

  • To make VRRP priority settings so that in the normal status the 1st apparatus (vSRX-01) is used as MASTER and the 2nd apparatus (vSRX-02) is used as BACKUP.

  • To make a set virtual IP address reply to PING (etc.)

Setting flow in a scenario

1.Determine VRRP group 1 and virtual IP address (192.168.1.100), and register with the procedure “Editing an allowed address pair” using the customer portal.
2.Permit VRRP packets, for the zone to which interface (ge-0/0/0) belongs.
3.Set VRRP with interface (ge-0/0/0) and set a VRRP group to 1.
4.To use the 1st apparatus (vSRX-01) as MASTER, set the priority value to 200.
5.To use the 2nd apparatus (vSRX-02) as BACKUP, set the priority value to 150.

Command to be entered with CLI

1st Firewall apparatus (vSRX-01)

user01@vSRX-01# set security zones security-zone trust host-inbound-traffic protocols all
user01@vSRX-01# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.101/24 vrrp-group 1 virtual-address 192.168.1.100
user01@vSRX-01# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.101/24 vrrp-group 1 priority 200
user01@vSRX-01# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.101/24 vrrp-group 1 accept-data

2nd Firewall apparatus (vSRX-02)

user01@vSRX-02# set security zones security-zone trust host-inbound-traffic protocols all
user01@vSRX-02# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.102/24 vrrp-group 1 virtual-address 192.168.1.100
user01@vSRX-02# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.102/24 vrrp-group 1 priority 150
user01@vSRX-02# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.102/24 vrrp-group 1 accept-data

Note

  • A virtual server can use the network redundancy function by means of the VRRP function when virtual IP address (192.168.1.100) is set to the default gateway.

  • With the accept-data command, setting is made so that vSRX responds to communications (ping, etc.) to a virtual IP address.

The configuration after completion of appropriate settings is as follows.

1st Firewall apparatus (vSRX-01)

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.101/24 {
                    vrrp-group 1 {
                        virtual-address 192.168.1.100;
                        priority 200;
                        accept-data;
                    }
                }
            }
        }
    }
}

2nd Firewall apparatus (vSRX-02)

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.102/24 {
                    vrrp-group 1 {
                        virtual-address 192.168.1.100;
                        priority 150;
                        accept-data;
                    }
                }
            }
        }
    }
}

Operation check result

With the two Firewalls, it was confirmed that vSRX-01 enters the MASTER status and vSRX-02 enters the BACKUP status in accordance with the set priority values. Also, possible communications from a connected virtual server to virtual IP address (here, 192.168.1.100) was confirmed, and thus appropriate operations of the VRRP set above were confirmed.

1st Firewall apparatus (vSRX-01)

user01@vSRX-01# run show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/0.0    up              1   master   Active      A  0.074 lcl    192.168.1.101
                                                                vip    192.168.1.100

2nd Firewall apparatus (vSRX-02)

user01@vSRX-02# run show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/0.0    up              1   backup   Active      D  3.128 lcl    192.168.1.102
                                                                vip    192.168.1.100
                                                                mas    192.168.1.101

Result of communications from the virtual server in the figure to the virtual IP address set with VRRP

[user01@centsv1 ~]$ ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=2.45 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.464 ms
64 bytes from 192.168.1.100: icmp_seq=3 ttl=64 time=0.720 ms
64 bytes from 192.168.1.100: icmp_seq=4 ttl=64 time=0.732 ms
64 bytes from 192.168.1.100: icmp_seq=5 ttl=64 time=0.556 ms
^C
--- 192.168.1.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 0.464/0.984/2.451/0.740 ms
[user01@centsv1 ~]$

Preempt setting of VRRP

When the Preempt function has been enabled, the MASTER status and BACKUP status can be automatically switched, based on the priority values in the VRRP group. When recovery of vSRX which was previously served as MASTER is made after switching occurs for reasons such as failure, the initial MASTER/BACKUP status is automatically restored by the Preempt function. For ECL2.0, enabling the Preempt function is recommended.

Setting status

Operation description

Without the setting made (Default)

The Preempt function is effective. The same operations as the settings are performed.

With the preempt setting made

The Preempt function is effective. The MASTER status and BACKUP status are automatically switched, based on the Priority values.

With the no-preempt setting made

The Preempt function is not effective. Switching is not automatically performed, based on the Priority values.

Presumed case for sample setting

  • To enable Preempt and set vSRX having a higher priority value to MASTER in terms of auto switching

Command to be entered with CLI

VRRP setting and Preempt setting on the vSRX-01 side

user01@vSRX-01# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.101/24 vrrp-group 1 virtual-address 192.168.1.100
user01@vSRX-01# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.101/24 vrrp-group 1 priority 200
user01@vSRX-01# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.101/24 vrrp-group 1 accept-data
user01@vSRX-01# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.101/24 vrrp-group 1 preempt

VRRP setting and Preempt setting on the vSRX-02 side

user01@vSRX-02# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.102/24 vrrp-group 1 virtual-address 192.168.1.100
user01@vSRX-02# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.102/24 vrrp-group 1 priority 150
user01@vSRX-02# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.102/24 vrrp-group 1 accept-data
user01@vSRX-02# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.102/24 vrrp-group 1 preempt

Note

Whereas the tutorial describes settings explicitly made, the Preempt function is enabled as the default even if the setting is not made.

With the Preempt function enabled and the VRRP settings properly made, the configuration is as follows:

vSRX-01 (MASTER) configuration

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.101/24 {
                    vrrp-group 1 {
                        virtual-address 192.168.1.100;
                        priority 200;
                        preempt;
                        accept-data;
                    }
                }
            }
        }
    }
}

vSRX-02 (BACKUP) configuration

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.102/24 {
                    vrrp-group 1 {
                        virtual-address 192.168.1.100;
                        priority 150;
                        preempt;
                        accept-data;
                    }
                }
            }
        }
    }
}

Preempt function verification

Disconnect vSRX-01 to create a pseudo environment where the MASTR side cannot communicate due to a failure and only vSRX-02 can communicate. When vSRX-01 is connected in this status (shown at the center of the figure), the status of vSRX-01 is changed to MASTER and that of vSRX-02 is changed to BACKUP, based on the Priority values. (Status shown in the right of the figure)

vSRX-01 in the initial status (It is assumed that a failure has occurred.)

user01@vSRX-01# run show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/0.0    down            1   init     Active      N  0.000 lcl    192.168.1.101
                                                                vip    192.168.1.100

vSRX-02 in the initial status (MASTER)

user01@vSRX-02# run show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/0.0    up              1   master   Active      A  0.267 lcl    192.168.1.102
                                                                vip    192.168.1.100

Assuming that a failure has occurred, connect the disconnected vSRX-01 to the network and make it belong to the VRRP group.

vSRX-01 (Failure status -> MASTER)

user01@vSRX-01> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/0.0    up              1   master   Active      A  0.258 lcl    192.168.1.101
                                                                vip    192.168.1.100

vSRX-02 (MASTER -> BACKUP)

user01@vSRX-02> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/0.0    up              1   backup   Active      D  2.703 lcl    192.168.1.102
                                                                vip    192.168.1.100
                                                                mas    192.168.1.101

The VRRP status verification result above allowed to confirm that the status of vSRX-01 is changed to MASTER and that of vSRX-02 is changed to BACKUP automatically and that the Preempt function works properly.