VRRP
Virtual Router Redundancy Protocol (VRRP) is commonly deployed on corporate networks in order to maintain default gateway redundancy for hosts. In this post, I will show you the commands to configure VRRP with route-tracking and interface-tracking.
For this lab, I will be using EVE-NG with four vSRX running 12.1X47-D15.4 code in packet-mode. I am using this version as it has the same features as newer codes, yet is less impactful on my lab hardware. The diagram for this lab is below, you can find the starting and ending configs at my GitHub repository. The root password for the devices is juniper123. BGP has been configured between INET and WAN1/WAN2 and is passing a default (0/0) route.
First up we will configure our VRRP on WAN1 and WAN2 using the virtual IP of 192.168.255.1. To configure VRRP there are a few things we need to remember in Junos.
- The VRRP group on both routers has to match
- In order to ping, you need to configure accept-data
- VRRP is configured under the interface IP address
- Higher priority is the preferred master
- Preempt is required if you want to allow for the backup to take over
Below is the configuration for VRRP for WAN1 and WAN2 to assign the virtual IP address of 192.168.255.1. We will place the IP in vrrp-group 1, assign WAN1 a priority of 200 and WAN2 a priority of 100, and configure both to preempt. We will demonstrate preempt later on in the lab when we cover tracking.
WAN1:
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.2/24 vrrp-group 1 virtual-address 192.168.255.1
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.2/24 vrrp-group 1 priority 200
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.2/24 vrrp-group 1 preempt
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.2/24 vrrp-group 1 accept-data
WAN2:
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.3/24 vrrp-group 1 virtual-address 192.168.255.1
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.3/24 vrrp-group 1 priority 100
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.3/24 vrrp-group 1 preempt
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.3/24 vrrp-group 1 accept-data
Once that has been saved, we should be able to ping the .1 address from the INTERNAL node. We will also make sure that WAN1 is our MASTER and WAN2 is our backup. This is based on the priorities that we configured.
root@WAN1-BLOG> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/3.0 up 1 master Active A 0.840 lcl 192.168.255.2
vip 192.168.255.1
root@WAN2-BLOG> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/3.0 up 1 backup Active D 2.947 lcl 192.168.255.3
vip 192.168.255.1
root@INTERNAL1-BLOG> ping 192.168.255.1 rapid
PING 192.168.255.1 (192.168.255.1): 56 data bytes
!!!!!
--- 192.168.255.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 9.668/12.360/15.162/2.351 ms
As you should be able to see from the output above, WAN1 has the VR state of master and WAN2 has the VR state of backup. Also, our INTERNAL device is able to PING the VIP address of 192.168.255.1.
One key thing to note is that preempt is required on the backup VRRP neighbor. By default, the active VRRP router will maintain its mastership, regardless of priority. By using preempt, the higher priority VRRP device will always be the master. We have already configured that under WAN2 when we added the following configuration. We will be taking advantage of this for both Interface tracking and Route tracking.
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.3/24 vrrp-group 1 preempt
INTERFACE TRACKING
First, we will cover interface tracking for VRRP. What this does is monitor an interface for either state change (up/down), or even low bandwidth thresholds. I have not personally run across where bandwidth threshold has been used, yet I could see a use case if you had multiple VRRP groups and addresses and wanted to move traffic around based on usage. If I come across a use case, I will be sure to share it.
The common way to configure VRRP is with interface tracking. This is commonly used when you have two private links out of the network and want to have a single default gateway. For this lab, we will track interface ge-0/0/0 on WAN1.
Remember that that WAN1 has a VRRP priority of 200 while WAN2 has a priority of 100. So what we need to do is have WAN1 have a lower priority on the failure of interface ge-0/0/0.
In order to accomplish this, we will configure interface tracking for ge-0/0/0 with a cost of 101. The cost specified is decremented from the current cost (we configured it as 200).
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.2/24 vrrp-group 1 track interface ge-0/0/0 priority-cost 101
So now if we disable ge-0/0/0 on INET1, that would cause WAN1 ge-0/0/0 to go down as well, and that should cause VRRP to failover. We can see the status of the interface tracking by using the command show vrrp track.
[edit]
root@INET-BLOG# set interface ge-0/0/0 disable
root@WAN1-BLOG> show vrrp track
Track Int State Speed VRRP Int Group VR State Current prio
ge-0/0/0.0 unknown 0 ge-0/0/3.0 1 backup 99
root@WAN1-BLOG> show vrrp summary
Interface State Group VR state VR Mode Type Address
ge-0/0/3.0 up 1 backup Active lcl 192.168.255.2
vip 192.168.255.1
WAN2 NOW SHOWING AS MASTER
root@WAN2-BLOG> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/3.0 up 1 master Active A 0.104 lcl 192.168.255.3
vip 192.168.255.1
As you can see, 192.168.255.3 ( the other VRRP neighbor) has assumed mastership for the virtual IP. If we look at WAN1 vrrp detail, we can see that there we have a current priority of 99 and there is an Incurred cost of 101 for the interface state in unknown.
root@WAN1-BLOG> show vrrp detail
Physical interface: ge-0/0/3, Unit: 0, Address: 192.168.255.2/24
Index: 71, SNMP ifIndex: 522, VRRP-Traps: disabled
Interface state: up, Group: 1, State: backup, VRRP Mode: Active
Priority: 99, Advertisement interval: 1, Authentication type: none
Advertisement threshold: 3, Computed send rate: 0
Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 192.168.255.1
Dead timer: 2.858s, Master priority: 100, Master router: 192.168.255.3
Virtual router uptime: 00:09:16
Tracking: enabled
Current priority: 99, Configured priority: 200
Priority hold time: disabled
Interface tracking: enabled, Interface count: 1
Interface Int state Int speed Incurred priority cost
ge-0/0/0.0 unknown 0 101
Route tracking: disabled
Now once the interface recovers, WAN1 will be the master again.
root@WAN1-BLOG> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/3.0 up 1 master Active A 0.017 lcl 192.168.255.2
vip 192.168.255.1
Before we continue, please delete the interface tracking as we will be using the same priority decrement. Your total decrement amount cannot exceed the interface priority configured.
delete interfaces ge-0/0/3.0 family inet address 192.168.255.2/24 vrrp-group 1 track
ROUTE TRACKING
This lab has been configured so that the INET router advertises a default 0/0 route via BGP to WAN1 and WAN2 as you can see from the output below.
root@WAN1-BLOG> show route receive-protocol bgp 10.200.1.1
inet.0: 8 destinations, 9 routes (8 active, 0 holddown, 1 hidden)
Prefix Nexthop MED Lclpref AS path
* 0.0.0.0/0 10.200.1.1 65000 I
root@WAN2-BLOG> show route receive-protocol bgp 10.100.1.1
inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 1 hidden)
Prefix Nexthop MED Lclpref AS path
* 0.0.0.0/0 10.100.1.1 65000 I
We will configure this lab to track the received on the 0/0 route for VRRP mastership. To do this, just like we did for interface tracking, we configure it in the VRRP group. One difference here is that we need to specify a routing-instance, if you are not using routing-instances, you must specify default.
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.2/24 vrrp-group 1 track route 0.0.0.0/0 routing-instance default priority-cost 101
Now when we look at our VRRP detail, we can see we have Route Tracking enabled and are tracking 0/0.
root@WAN1-BLOG> show vrrp detail
Physical interface: ge-0/0/3, Unit: 0, Address: 192.168.255.2/24
Index: 71, SNMP ifIndex: 522, VRRP-Traps: disabled
Interface state: up, Group: 1, State: master, VRRP Mode: Active
Priority: 200, Advertisement interval: 1, Authentication type: none
Advertisement threshold: 3, Computed send rate: 0
Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 192.168.255.1
Advertisement Timer: 0.676s, Master router: 192.168.255.2
Virtual router uptime: 00:30:57, Master router uptime: 00:19:06
Virtual Mac: 00:00:5e:00:01:01
Tracking: enabled
Current priority: 200, Configured priority: 200
Priority hold time: disabled
Interface tracking: disabled
Route tracking: enabled, Route count: 1
Route VRF name Route state Priority cost
0.0.0.0/0 default up 101
So now when we tell INET1 to stop advertising the 0/0 route, we will see what happens.
root@INET-BLOG# set protocols bgp group EBGP neighbor 10.200.1.2 export NO-EXPORT
Now we can look to see if we have a route to 0/0, and we will see that we do not.
root@WAN1-BLOG> show route 0/0 exact
inet.0: 7 destinations, 7 routes (6 active, 0 holddown, 1 hidden)
root@WAN1-BLOG>
Now when we check VRRP detail, we can see that the Route State is down and we are decrementing 101 from our priority, thus making WAN2 the active VRRP router.
root@WAN1-BLOG> show vrrp detail
Physical interface: ge-0/0/3, Unit: 0, Address: 192.168.255.2/24
Index: 71, SNMP ifIndex: 522, VRRP-Traps: disabled
Interface state: up, Group: 1, State: backup, VRRP Mode: Active
Priority: 99, Advertisement interval: 1, Authentication type: none
Advertisement threshold: 3, Computed send rate: 0
Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 192.168.255.1
Dead timer: 3.091s, Master priority: 100, Master router: 192.168.255.3
Virtual router uptime: 00:32:36
Tracking: enabled
Current priority: 99, Configured priority: 200
Priority hold time: disabled
Interface tracking: disabled
Route tracking: enabled, Route count: 1
Route VRF name Route state Priority cost
0.0.0.0/0 default down 101
root@WAN1-BLOG> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/3.0 up 1 backup Active D 3.171 lcl 192.168.255.2
vip 192.168.255.1
mas 192.168.255.3