VRRP on ERS5000

1. Introduction
There are a number of methods that an end-host
can use to determine its first hop router towards
a particular IP destination. such as Routing
Information Protocol [RIP] or OSPF version 2
[OSPF] or using a statically configured default
route. Running a dynamic routing protocol on
every end-host may be infeasible for a number
of reasons, including administrative overhead,
processing overhead, security issues, or lack of
a protocol implementation for some platforms.
The use of a statically configured default route is
quite popular;

It minimizes configuration and processing

overhead on the end-host and is supported by
virtually every IP implementation. However, this
creates a single point of failure. Loss of the
default router results in a catastrophic event,
isolating all end-hosts that are unable to detect
any alternate path that may be available.

WAN

IP Addr 10.10.10.3/24

IP Addr 10.10.10.4/24

PC-2
PC-1

Ip addr 10.10.10.11/24

Ip Addr 10.10.10.12/24

Def GW 10.10.10.3

Def GW 10.10.10.4

The Virtual Router Redundancy Protocol

(VRRP) is designed to eliminate the single
point of failure inherent in the static default

routed environment. VRRP specifies an

election protocol that dynamically assigns
responsibility for a virtual router to one of
the VRRP routers on a LAN.

The VRRP router controlling the IP

address(es) associated with a virtual router is
called the Master, and forwards packets sent
to these IP addresses. The election process
provides dynamic fail-over in the forwarding
responsibility should the Master become
unavailable. Any of the virtual routers IP
addresses on a LAN can then be used as the
default first hop router by end-hosts. The
advantage gained from using VRRP is a higher
availability default path without requiring
configuration of dynamic routing or router
discovery protocols on every end-host. (rfc
3768)

WAN

IP Addr 10.10.10.3/24

IP Addr 10.10.10.4/24

Vrrp ip 10.10.10.1

Vrrp ip 10.10.10.1

VRRP master
router

VRRP Master
backup
Router

PC-2
PC-1

Ip addr 10.10.10.11/24

Ip Addr 10.10.10.12/24

Def GW 10.10.10.1 (vrrp ip)

Def GW 10.10.10.1 (vrrp ip)

Definitions
VRRP Router : A router running the Virtual Router
Redundancy Protocol.
Virtual Router : An abstract object managed by
VRRP that acts as a default router for hosts on a
shared LAN. It consists of a Virtual Router
Identifier and a set of associated IP address(es)
across a common LAN. A VRRP Router may
backup one or more virtual routers.
IP Address Owner : The VRRP router that has the
virtual routers IP address(es) as real interface
address(es). This is the router that, when up, will
respond to packets addressed to one of these IP
addresses for ICMP pings, TCP connections, etc.

 Virtual Router Master The VRRP router that is

assuming the responsibility of forwarding
packets sent to the IP address(es) associated
with the virtual router, and answering ARP
requests for these IP addresses. Note that if the
IP address owner is available, then it will always
become the Master.
Virtual Router Backup The set of VRRP routers
available to assume forwarding responsibility for
a virtual router should the current Master fail.

VRRP Overview
The virtual router MAC address is used as the
source in all periodic VRRP messages sent by
the Master router. A virtual router is defined by
its virtual router identifier (VRID) and a set of IP
addresses. To minimize network traffic, only the
Master for each virtual router sends periodic
VRRP Advertisement messages. A Backup
router will not attempt to preempt the Master
unless it has higher priority. This eliminates
service disruption unless a more preferred path
becomes available. VRRP packets are sent
encapsulated in IP packets. They are sent to the
IPv4 multicast address assigned to VRRP.

VRRP Packet Format

IP Field Descriptions & Vrrp Parameter

definitions
Source Address : The primary IP address of the interface
the packet is being sent from.
Destination Address :The IP multicast address as
assigned by the IANA for VRRP is: 224.0.0.18
TTL : The TTL MUST be set to 255. A VRRP router
receiving a packet with the TTL not equal to 255 MUST
discard the packet.
Protocol : The IP protocol number assigned by the IANA
for VRRP is 112 (decimal).
Version : The version field specifies the VRRP protocol
version of this packet.
Type : The type field specifies the type of this VRRP
packet. The only packet type defined in this version of
the protocol is: 1 ADVERTISEMENT

 Virtual Rtr ID (VRID) : The Virtual Router

Identifier (VRID) field identifies the virtual router
this packet is reporting status for. Configurable
item in the range 1-255 (decimal). There is no
default.
Priority : The priority field specifies the sending
VRRP routers priority for the virtual router.
Higher values equal higher priority. This field is
an 8 bit unsigned integer field. VRRP routers
backing up a virtual router MUST use priority
values between 1-254 (decimal). The default
priority value for VRRP routers backing up a
virtual router is 100 (decimal).

The priority value zero (0) has special meaning

indicating that the current Master has stopped
participating in VRRP. This is used to trigger
Backup routers to quickly transition to Master
without having to wait for the current Master to
timeout. The value of 0 (zero) is reserved for
Master router to indicate it is releasing
responsibility for the virtual router.
Authentication Type : ERS5500 series has no
authentication.
Critical-ip <ipaddr> : A locally configured IP
address to use as a trigger for releasing control
of the virtual router. Critical IP is not advised to
configure with backup-master feature at both
5500 and 8600 series.

 Advertisement Interval (Adver Int) : The

Advertisement interval indicates the time interval
(in seconds) between ADVERTISEMENTS. The
default is 1 second. This field is used for
troubleshooting misconfigured routers.
Skew_Time : Time to skew
Master_Down_Interval in seconds.
Calculated as: ( (256 - Priority) / 256 )
Master_Down_Interval : Time interval for Backup
to declare Master down (seconds). Calculated
as: (3 * Advertisement_Interval) + Skew_time

 Preempt_Mode : Controls whether a higher priority

Backup router preempts a lower priority Master. Values
are True to allow preemption and False to prohibit
preemption. Default is True. Note: Exception is that the
router that owns the IP address(es) associated with the
virtual router always preempts independent of the setting
of this flag.
Checksum : The checksum field is used to detect data
corruption in the VRRP message. The checksum is the
16-bit ones complement of the ones complement sum
of the entire VRRP message starting with the version
field. For computing the checksum, the checksum field is
set to zero. See RFC 1071 for more detail [CKSM].

 Fast advertisement : is proprietary to ERS

supporting an advertising interval from 200 to
1000 ms with a default value of 200ms
VRRP Packets
used to communicate between VRRP routers.
use the following addresses:
Destination IP address:
224.0.0.18

Destination MAC address:

01-00-5E-00-00-12

Source MAC address

00-00-5E-00-01-{0xVRID}

VRRP states
Initialize
Wait to be enabled.

Backup
Responsibilities:
MUST NOT respond to ARP requests for the IP address
associated with the virtual router.
MUST discard packets with a destination MAC address
equal to the virtual router MAC address.
MUST NOT accept packets addressed to the IP address
associated with the virtual router.
Transition to the Master state.

 Master
Responsibilities:
MUST respond to ARP requests for the IP address
associated with the virtual router.
MUST forward packets with a destination MAC address
equal to the virtual router MAC address.
MUST NOT accept packets addressed to the IP address
associated with the virtual router if it is not the IP address
owner. (included at the RFC, not seen at the Nortel)
MUST accept packets addressed to the IP address
associated with the virtual router if it is the IP address
owner.

Determining Master
Upon receipt of a VRRP packet a VRRP router
should:
Compare VRID in packet to internal VRIDs.
Dont match: discard packet.
Do match: compare priorities.

Compare VRRP priority.

Packet priority higher: transition to Backup.
Internal priority higher: transition to Master.
Equal: compare senders IP address. Highest IP
address is the master.

Events that result in a Backup VRRP

router becoming Master.
Receive a VRRP packet with priority lower
than internal priority.
Backup does not receive a VRRP packet
within the Master_Down_Interval
VRRP Master sends a packet with priority
0 indicating it is relinquishing control of the
virtual router.

ERS 5500 Implementations & backup-master

behavior
Initial Setup
PC-1

PC-2

PC-3

Layer 2 Switch
Layer 2 Switch

SMLT

VRRP-master
(both VLANs)

IST

VRRP-backup
(both VLANs)

Q01737679 problem
Packet fro PC1 to PC2 (dest MAC = VRRP MAC)

PC-1

PC-2

PC-3

Based on MLT distribution

Packet could be sent to backup
Layer 2 Switch

Layer 2 Switch

due to CR Q01737679
(5x00 hardware limitation)
packet is dropped when coming
from IST to SMLT
(when SMLT is in state SMLT)

VRRP-master
(both VLANs)

Packet should be routed to PC2

VRRP-backup
(both VLANs)

As 5x00 is not owner of the VRRP MAC

Packet is switched to VRRP Master

Solution for Q01737679

Packet fro PC1 to PC2 (dest MAC = VRRP MAC)

PC-1

PC-2

PC-3

Based on MLT distribution

Packet could be sent to backup
Layer 2 Switch

VRRP-master
(both VLANs)

Layer 2 Switch

VRRP-backup -master
(both VLANs)

5x00 now owner of the VRRP MAC

Packet is routed to PC2

Link down situation

Link down

PC-2

PC-3

Layer 2 Switch

VRRP-master

VRRP-backup-master

Flooding of all packets on L2 switch

Packet fro PC1 to VRRP MAC

PC-2

Layer 2 Switch

flooded as no FDB entry exists !!!

PC-3

VRRP MAC aged

not re learned as
no VRRP hellos arriving

VRRP hello
not forwarded due to
CR Q01990799

VRRP-backup-master

VRRP-master
VRRP hello

CR Q01990790 resolves the flooding issue

Packet fro PC1 to VRRP MAC

PC-2

PC-3

VRRP MAC learned all 10 sec

Layer 2 Switch

VRRP hello
all 10 sec from backup master
CR Q01990790

VRRP-backup-master

VRRP-master
VRRP hello

DAW NetApp problem

Initial Setup

NetApp
PC-1

Layer 2 Switch

SMLT

VRRP-master
(both VLANs)

Layer 2 Switch

IST

VRRP-backup
(both VLANs)

5x00 D1 .

5x00 D2 .

8300

8300

Packet to the Server

PC sends Packet to default Gateway

which is VRRP MAC address
00:00:5e:00:01.xx

NetApp
PC-1

Packet is forwarded to destination

Packet is sent either the blue

or the red path depending on
the MLT distribution

Layer 2 Switch

Layer 2 Switch

If red path is used Packet is routed by the D2

as it is VRRP backup-master
and the packet is destined to
VRRP MAC address

If blue path is used Packet is routed by the D1

as it is VRRP master and
the packet is destined to
VRRP MAC address
5x00 D1 .

5x00 D2 .

8300

8300

Packet from the Server (DAW behavior)

NetApp
PC-1

Packet is forwarded to destination

Layer 2 Switch

Layer 2 Switch

If blue path is used Packet is routed by the D1

as the destination MAC is its
own MAC
If red path is used Packet cannot be forwarded to SMLT
coming from the IST.
Therefore packet is lost

Server sends Packet to MAC address

where it received the packet from
not the default gateway VRRP address
e.g. MAC address of D1

Packet is sent either the blue

or the red path depending on
the MLT distribution

If red path is used Packet has D1 MAC therefore

must be sent to D1 across IST
Packet is switched not routed
(VRRP cannot be used)
5x00 D1 .

5x00 D2 .

8300

8300

Packet from the Server re-transmission - 1

NetApp
PC-1

Layer 2 Switch

If red path is used Packet cannot be forwarded to SMLT

coming from the IST.
Therefore packet is lost

Layer 2 Switch

Server sends Packet to MAC address

where it received the packet from
not the default gateway VRRP address
e.g. MAC address of D1

Packet is sent either the blue

or the red path depending on
the MLT distribution

If red path is used Packet has D1 MAC therefore

must be sent to D1 across IST
Packet is switched not routed
(VRRP cannot be used)
5x00 D1 .

5x00 D2 .

8300

8300

Packet from the Server re-transmission - 2

NetApp
PC-1

Server sends Packet to VRRP MAC

address

Packet is forwarded to destination

Layer 2 Switch

Layer 2 Switch

Packet is sent either the blue

or the red path depending on
the MLT distribution

If red path is used Packet has VRRP MAC therefore

D2 will use the backup-master
function to route the packet
5x00 D1 .

5x00 D2 .

8300

8300

Conclusion:
Due to the hardware limitation in the 5x00
(Q01737679) the VRRP backup-master function
must be used in an IST/SMLT design with
5x00s.
Another limitation prevents VRRP hellos to be
forwarded by the VRRP backup-master
(Q01990799). To overcome this limitation the
backup-master will generate VRRP hellos all 10
sec itself (Q01990790).
Therefore the 5x00 must not be used in a nonSMLT design with the VRRP backup masterfunction enabled

 ERS Vrrp trap Messages

Transition Type:
1 - None
2 - Master to Backup
3 - Backup to Master
4 - Initialize to Master
5 - Master to initialize
6 - Initialize to Backup
7 - Backup to Initialize
8 - Backup to Backup Master
9 - Backup Master to Backup

 Transition Cause:
1 - None
2 - Higher priority advertisement received
3 - Shutdown received
4 - VRRP Address and Physical Address match
5 - Master Down interval
6 - Preemption
7 - Critical IP goes down
8 - User Disabling VRRP
9 - VRRP status synced from primary
10 - IP interface on which VRRP is configured goes down.
11 - Lower Priority Advertisement received
12 - Advertisement received from Higher interface IP address with
Equal priority
13 - Advertisement received from Lower interface IP address with
Equal priority
14 - User enabled VRRP
15 - Transition because of any other cause

Troubleshooting suggestions
Begin by determining which interfaces are running
VRRP.
Make note of the state of each interface (ie. Master or
Backup).
Look at the configured parameters, such as VRIDs and
IP addresses, for each interface and be sure they match
on all VRRP routers. Same vrid should not use at the
different vlans.
Capture the VRRP packets and be sure they are coming
from the expected router at the expected time interval.
Note : ERS5500 series must have advance licence to
configure vrrp.

Sniffer considerations
ARP replies from the VRRP IP address will have
a source MAC of the Passport interface (the
packet will contain the VRRP MAC).
ICMP echo replies from the VRRP IP address
will use the VRRP MAC as the source.**
Packets being routed back through a VRRP
interface will use the Passport MAC address as
the source MAC.

Note : At ERS8300- ERS8600, its advised

to configure RSMLT instead of VRRP for
the square or full mesh structures.

 Thanks

References
RFC 3768
Dan Duisenberg
J_-_Passport_8600_Class_-_VRRP.ppt
Juergen Arlt VRRP_5x00.ppt,
DAW_5x00.ppt
PP8600_TCG_for_VRRP