VRRP

Virtual Router Redundancy Protocol (VRRP) is commonly deployed on corporate networks in order to maintain default gateway redundancy for hosts. In this post, I will show you the commands to configure VRRP with route-tracking and interface-tracking.

For this lab, I will be using EVE-NG with four vSRX running 12.1X47-D15.4 code in packet-mode. I am using this version as it has the same features as newer codes, yet is less impactful on my lab hardware. The diagram for this lab is below, you can find the starting and ending configs at my GitHub repository. The root password for the devices is juniper123. BGP has been configured between INET and WAN1/WAN2 and is passing a default (0/0) route.

First up we will configure our VRRP on WAN1 and WAN2 using the virtual IP of 192.168.255.1. To configure VRRP there are a few things we need to remember in Junos.

  • The VRRP group on both routers has to match
  • In order to ping, you need to configure accept-data
  • VRRP is configured under the interface IP address
  • Higher priority is the preferred master
  • Preempt is required if you want to allow for the backup to take over

Below is the configuration for VRRP for WAN1 and WAN2 to assign the virtual IP address of 192.168.255.1. We will place the IP in vrrp-group 1, assign WAN1 a priority of 200 and WAN2 a priority of 100, and configure both to preempt. We will demonstrate preempt later on in the lab when we cover tracking.

WAN1:
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.2/24 vrrp-group 1 virtual-address 192.168.255.1
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.2/24 vrrp-group 1 priority 200
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.2/24 vrrp-group 1 preempt
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.2/24 vrrp-group 1 accept-data

WAN2:
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.3/24 vrrp-group 1 virtual-address 192.168.255.1
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.3/24 vrrp-group 1 priority 100
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.3/24 vrrp-group 1 preempt
set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.3/24 vrrp-group 1 accept-data

Once that has been saved, we should be able to ping the .1 address from the INTERNAL node. We will also make sure that WAN1 is our MASTER and WAN2 is our backup. This is based on the priorities that we configured.

root@WAN1-BLOG> show vrrp    
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/3.0    up              1   master   Active      A  0.840 lcl    192.168.255.2  
                                                                vip    192.168.255.1  

root@WAN2-BLOG> show vrrp 
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/3.0    up              1   backup   Active      D  2.947 lcl    192.168.255.3  
                                                                vip    192.168.255.1  
 
root@INTERNAL1-BLOG> ping 192.168.255.1 rapid 
PING 192.168.255.1 (192.168.255.1): 56 data bytes
!!!!!
--- 192.168.255.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 9.668/12.360/15.162/2.351 ms

As you should be able to see from the output above, WAN1 has the VR state of master and WAN2 has the VR state of backup. Also, our INTERNAL device is able to PING the VIP address of 192.168.255.1.

One key thing to note is that preempt is required on the backup VRRP neighbor. By default, the active VRRP router will maintain its mastership, regardless of priority. By using preempt, the higher priority VRRP device will always be the master. We have already configured that under WAN2 when we added the following configuration. We will be taking advantage of this for both Interface tracking and Route tracking.

set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.3/24 vrrp-group 1 preempt

INTERFACE TRACKING

First, we will cover interface tracking for VRRP. What this does is monitor an interface for either state change (up/down), or even low bandwidth thresholds. I have not personally run across where bandwidth threshold has been used, yet I could see a use case if you had multiple VRRP groups and addresses and wanted to move traffic around based on usage. If I come across a use case, I will be sure to share it.

The common way to configure VRRP is with interface tracking. This is commonly used when you have two private links out of the network and want to have a single default gateway. For this lab, we will track interface ge-0/0/0 on WAN1.

Remember that that WAN1 has a VRRP priority of 200 while WAN2 has a priority of 100. So what we need to do is have WAN1 have a lower priority on the failure of interface ge-0/0/0.

In order to accomplish this, we will configure interface tracking for ge-0/0/0 with a cost of 101. The cost specified is decremented from the current cost (we configured it as 200).

set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.2/24 vrrp-group 1 track interface ge-0/0/0 priority-cost 101

So now if we disable ge-0/0/0 on INET1, that would cause WAN1 ge-0/0/0 to go down as well, and that should cause VRRP to failover. We can see the status of the interface tracking by using the command show vrrp track.

[edit]
root@INET-BLOG# set interface ge-0/0/0 disable

root@WAN1-BLOG> show vrrp track     
Track Int   State         Speed   VRRP Int   Group   VR State      Current prio
ge-0/0/0.0  unknown           0   ge-0/0/3.0     1   backup                  99 

root@WAN1-BLOG> show vrrp summary 
Interface     State       Group   VR state       VR Mode    Type   Address 
ge-0/0/3.0    up              1   backup          Active    lcl    192.168.255.2      
                                                            vip    192.168.255.1      

WAN2 NOW SHOWING AS MASTER
root@WAN2-BLOG> show vrrp        
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/3.0    up              1   master   Active      A  0.104 lcl    192.168.255.3  
                                                                vip    192.168.255.1  

As you can see, 192.168.255.3 ( the other VRRP neighbor) has assumed mastership for the virtual IP. If we look at WAN1 vrrp detail, we can see that there we have a current priority of 99 and there is an Incurred cost of 101 for the interface state in unknown.

root@WAN1-BLOG> show vrrp detail 
Physical interface: ge-0/0/3, Unit: 0, Address: 192.168.255.2/24
  Index: 71, SNMP ifIndex: 522, VRRP-Traps: disabled
  Interface state: up, Group: 1, State: backup, VRRP Mode: Active
  Priority: 99, Advertisement interval: 1, Authentication type: none
  Advertisement threshold: 3, Computed send rate: 0
  Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 192.168.255.1      
  Dead timer: 2.858s, Master priority: 100, Master router: 192.168.255.3 
  Virtual router uptime: 00:09:16
  Tracking: enabled 
    Current priority: 99, Configured priority: 200 
    Priority hold time: disabled
    Interface tracking: enabled, Interface count: 1  
      Interface     Int state   Int speed   Incurred priority cost
      ge-0/0/0.0    unknown             0                     101
    Route tracking: disabled

Now once the interface recovers, WAN1 will be the master again.

root@WAN1-BLOG> show vrrp 
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/3.0    up              1   master   Active      A  0.017 lcl    192.168.255.2  
                                                                vip    192.168.255.1  

Before we continue, please delete the interface tracking as we will be using the same priority decrement. Your total decrement amount cannot exceed the interface priority configured.

delete interfaces ge-0/0/3.0 family inet address 192.168.255.2/24 vrrp-group 1 track 

ROUTE TRACKING

This lab has been configured so that the INET router advertises a default 0/0 route via BGP to WAN1 and WAN2 as you can see from the output below.

root@WAN1-BLOG> show route receive-protocol bgp 10.200.1.1 

inet.0: 8 destinations, 9 routes (8 active, 0 holddown, 1 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 0.0.0.0/0               10.200.1.1                              65000 I

root@WAN2-BLOG> show route receive-protocol bgp 10.100.1.1 

inet.0: 7 destinations, 8 routes (7 active, 0 holddown, 1 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 0.0.0.0/0               10.100.1.1                              65000 I

We will configure this lab to track the received on the 0/0 route for VRRP mastership. To do this, just like we did for interface tracking, we configure it in the VRRP group. One difference here is that we need to specify a routing-instance, if you are not using routing-instances, you must specify default.

set interfaces ge-0/0/3 unit 0 family inet address 192.168.255.2/24 vrrp-group 1 track route 0.0.0.0/0 routing-instance default priority-cost 101

Now when we look at our VRRP detail, we can see we have Route Tracking enabled and are tracking 0/0.

root@WAN1-BLOG> show vrrp detail 
Physical interface: ge-0/0/3, Unit: 0, Address: 192.168.255.2/24
  Index: 71, SNMP ifIndex: 522, VRRP-Traps: disabled
  Interface state: up, Group: 1, State: master, VRRP Mode: Active
  Priority: 200, Advertisement interval: 1, Authentication type: none
  Advertisement threshold: 3, Computed send rate: 0
  Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 192.168.255.1      
  Advertisement Timer: 0.676s, Master router: 192.168.255.2
  Virtual router uptime: 00:30:57, Master router uptime: 00:19:06
  Virtual Mac: 00:00:5e:00:01:01 
  Tracking: enabled 
    Current priority: 200, Configured priority: 200 
    Priority hold time: disabled
    Interface tracking: disabled
    Route tracking: enabled, Route count: 1  
      Route               VRF name     Route state      Priority cost  
      0.0.0.0/0           default      up                         101 

So now when we tell INET1 to stop advertising the 0/0 route, we will see what happens.

root@INET-BLOG# set protocols bgp group EBGP neighbor 10.200.1.2 export NO-EXPORT

Now we can look to see if we have a route to 0/0, and we will see that we do not.

root@WAN1-BLOG> show route 0/0 exact 

inet.0: 7 destinations, 7 routes (6 active, 0 holddown, 1 hidden)

root@WAN1-BLOG>

Now when we check VRRP detail, we can see that the Route State is down and we are decrementing 101 from our priority, thus making WAN2 the active VRRP router.

root@WAN1-BLOG> show vrrp detail    
Physical interface: ge-0/0/3, Unit: 0, Address: 192.168.255.2/24
  Index: 71, SNMP ifIndex: 522, VRRP-Traps: disabled
  Interface state: up, Group: 1, State: backup, VRRP Mode: Active
  Priority: 99, Advertisement interval: 1, Authentication type: none
  Advertisement threshold: 3, Computed send rate: 0
  Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 192.168.255.1      
  Dead timer: 3.091s, Master priority: 100, Master router: 192.168.255.3 
  Virtual router uptime: 00:32:36
  Tracking: enabled 
    Current priority: 99, Configured priority: 200 
    Priority hold time: disabled
    Interface tracking: disabled
    Route tracking: enabled, Route count: 1  
      Route               VRF name     Route state      Priority cost  
      0.0.0.0/0           default      down                       101 

root@WAN1-BLOG> show vrrp 
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/3.0    up              1   backup   Active      D  3.171 lcl    192.168.255.2  
                                                                vip    192.168.255.1  
                                                                mas    192.168.255.3