VRRP Tab
Configuration > Networking > VRRP
This tab summarizes the configuration and state for appliances deployed with Virtual Router Redundancy Protocol (VRRP).
VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling the IP addresses associated with a virtual router is called the Master and forwards packets sent to these IP addresses. The election process provides dynamic failover in the forwarding responsibility should the Master become unavailable. This allows end hosts to use any virtual router IP addresses on the LAN as the default first-hop router. The advantage gained from using VRRP is a higher availability default path without the need to configure dynamic routing protocols such as BGP or OSPF.
VRRP Configuration Considerations
When configuring VRRP, observe the following restrictions:
-
If you set the VRRP virtual IP (VIP) to a subnet that is different than that of the LAN physical interfaces, do not use static routes on the LAN side.
-
By default, EdgeHA operates within the IPv4 link-local address range. If you configure the LAN interfaces to use the same range, ensure that there are no duplicate IP addresses.
-
If the LAN physical interfaces are set to the link-local subnet 169.254.0.0/16, make sure that this subnet is not shared via route-map filtering.
-
DHCP server, DHCP relay, or other management services on the VRRP VIP with a different subnet are not supported.
-
VRRP convergence is optimized when the Site/Cluster Tracker option is enabled.
-
EdgeConnect appliances do not support the implementation of different max advertise intervals for different routers in the same VRRP group (IPv4 and IPv6). You must configure this interval to be the same on all routers in the same VRRP group, whether they are considered master or backup. When advertisement timers are different, devices can declare as master irrespective of their priority.
VRRP Edit Row
From the list of appliances, click the edit icon to display the VRRP screen. Click Add VRRP to add a VRRP instance. Use the information in the following table to assist you in configuring a VRRP. Click Save to deploy your VRRP configuration.
VRRP Settings
| Field | Description |
|---|---|
| Group ID | The value is assigned to a group of routing devices. The group most commonly includes two appliances but depending on the deployment could contain one or more appliances and a router (or L3 switch), or more than two appliances. The valid range is 1 to 255. |
| Interface | Choose an interface that VRRP will use for peering from a list of configured system interfaces. |
| Version | Select the VRRP version that applies for your system: 2 – Supports only IPv4. 3 – Supports IPv4 and IPv6; does not support authentication strings. |
| State | The VRRP instance has three states: Backup – Instance is in VRRP backup state. Init – Instance is initializing, it is disabled, or the interface is down. Master – Instance is the current VRRP master. |
| Admin | Select up (enable) or down (disable). |
| Virtual IP | IP address of the VRRP instance. Configure the VRRP VIP on a different subnet than the LAN physical interfaces; this maximizes the number of available LAN IP addresses. VRRP instances can run between two or more appliances, or appliances and routers. The VRRP VIP subnet is shared with the peers. |
| Hold Down | The number of seconds a higher-priority backup router waits before preempting the primary router after it has just started up. It is best practice to configure a hold time so that routing protocols converge and tunnels come back up before preemption occurs. The default value is 60 sec to account for the default quiescent tunnel keep alive time. The minimum value is 1 second. |
| Advertisement Timer | The time interval between sent advertisements. For version 2, the time is measured in seconds, and the default is 1 sec. For version 3, the time is measured in centi-seconds, and the default is 1 centi-sec. 1 centi-sec = 10ms. |
| Priority Config | The greater the number, the higher the priority. The appliance with the higher priority is the VRRP Master. |
| Priority State | The current VRRP priority, which can be influenced by IP SLA rules. |
| Preemption | Leave this selected/enabled so that after a failure, the appliance with the highest priority comes back online and again assumes primary responsibility. |
| Site/Cluster Tracking | Enabling this option optimizes traffic convergence, which is particularly useful for traffic originating from a hub and destined for an HA site where this VRRP option is enabled. If it is not enabled, convergence may take up to sixty seconds (the default reclassification interval). When enabled, traffic is steered to the new VRRP primary device without waiting for route updates or the reclassification interval. The VRRP convergence happens quickly. |
| Authentication String | Clear text password for authenticating VRRP version 2 group members. You cannot use an authentication string if you are using VRRP version 3. |
| Description | Free-form text field where you can enter a description of the VRRP instance. |
| Details | Click the info icon in this column to view the following details about the VRRP instance. Master IP – The interface or local IP address of the current VRRP Master. Virtual MAC Address – MAC Address that the VRRP instance is using. On a hardware appliance, this is in 00-00-5E-00-01-{VRID} format. On virtual appliances, the VRRP instance uses the MAC Address assigned to the interface (for example, the MAC address that the hypervisor assigned to wan0). State Uptime – Time elapsed since the VRRP instance entered the state it is in. Master State Transitions – Number of times the VRRP instance went from Master to Backup and vice versa. A high number of transitions indicates a problematic VRRP configuration or unstable network. In this case, check the configuration of all local appliances and routers, and then review the log files. IP Address Owner – An EdgeConnect appliance cannot use one of its own IP addresses as the VRRP IP, so this will always be No. |
| Segment | The name of the segment, if enabled. |