VRRP interfaces management

To create a VRRP interface, enter the vrrpX context.

router{conf:myconfig}vrrpX
vrrpX
X is the VRRP identifier, between 1 and 255

To move a VRRP interface in a VRF, from the vrrpX context, enter:

router{conf:myconfig-vrrp1}vrf-id 1

Displaying VRRP configuration

VRRP configuration can be displayed using the following commands:

router{conf:myconfig}display vrrpX

or

router{conf:myconfig-vrrpX}display

VRRP configuration

Turbo IPsec provides a quite simple VRRP configuration. The minimal configuration covers addresses and bindings, but typical use-case will involve link monitoring and possibly interface settings.

  • Define addresses and bindings:

    Choose an interface to activate VRRP protocol.

    router{conf:myconfig-vrrp1}bind none|(PORTNAME [src A.B.C.D])
    
    none

    Removes bound port.

    PORTNAME

    Specify the Ethernet interface where VRRP will be activated.

    src A.B.C.D

    IPv4 address used as source address for VRRP announces. If this parameter is not specified, the primary (first) IPv4 address of the bound port will be used.

  • Send/receive VRRP messages from base interface:

    Send/receive VRRP messages from base interface instead of VMAC interface.

    router{conf:myconfig-vrrp1}vmac-xmit-base enable|disable
    
    enable

    Send/receive VRRP messages from base interface.

    disable

    Send/receive VRRP messages from VMAC interface, this is the default behavior.

  • Link monitoring:

    VRRP routers can share fate with a set of interfaces. If any of the tracked interface is down or disconnected (no flag RUNNING), the VRRP router will be in FAULT state, hence will drop any MASTER responsibility.

    router{conf:myconfig-vrrp1}track IFNAME [IFNAME ...]
    router{conf:myconfig-vrrp1}track none
    
    IFNAME

    Specify an interface whose fate should be shared

    none

    remove ALL tracked interfaces

    Note

    This feature is optional, but highly recommended to avoid blackholes. A clever VRRP candidate should retire if the link supporting its default route fails.

  • Virtual IPs:

    Specify VRRP IP address block.

    router{conf:myconfig-vrrp1}virtual-ipaddress ABCDM [ABCDM ...]
    router{conf:myconfig-vrrp1}virtual-ipaddress none
    
    ABCDM

    Specify a virtual IPv4 address.

    none

    remove ALL virtual IPv4 addresses.

  • Virtual routes:

    Specify VRRP virtual routes.

    router{conf:myconfig-vrrp1}virtual-route UNICAST ABCD|PORT
    router{conf:myconfig-vrrp1}virtual-route none
    
    UNICAST

    Specify the destination address of the route.

    ABCD

    Specify the gateway address of the route.

    PORT

    Specify the interface via which traffic should be sent.

    none

    remove ALL virtual routes.

  • VRRP basic timers:

    Configure the VRRP advertising interval

    router{conf:myconfig-vrrp1}timer advertise-interval N|default
    
    N

    Specify the new advertisement interval (0.01 to 65535), in seconds.

    default

    Restores the advertisement interval to its default value: 1s.

    Configure delay for gratuitous ARP/NDP

    router{conf:myconfig-vrrp1}timer gndp N|default
    
    N

    Specify gratuitous ARP/NDP delay time(1-65535), in seconds.

    default

    Restores gratuitous ARP/NDP to its default value: 5s.

    Configure vrrp preemption delay

    router{conf:myconfig-vrrp1}timer preempt none|N|default
    
    none

    No VRRP preemption delay.

    N

    Specify VRRP preemption delay(1-1000), in seconds.

    default

    Restores VRRP preemption delay to its default value: 30s.

  • VRRP notification actions:

    Set actions to be called when a VRRP router state changed.

    router{conf:myconfig-vrrp1}notify master|backup|fault|any none
    router{conf:myconfig-vrrp1}notify master|backup|fault|any "PATH"
    router{conf:myconfig-vrrp1}notify master|backup|fault call "CLI_COMMAND"
    
    master|backup|fault|any

    State that causes the action to be called.

    PATH

    Path to an external notification script.

    Note

    The script must be present in Turbo IPsec filesystem with execution permissions.

    CLI_COMMAND

    CLI command to execute.

    none

    Disables script notification for this state (this is the default).

Note

The notify any script is called AFTER a state-specific notify action has been called, and is given exactly 4 arguments:

$1 = A string indicating whether it’s a “GROUP” or an “INSTANCE”

$2 = The name of the group or instance (e.g. “vrrp-group1” or “vrrp51”)

$3 = The state it’s transitioning to (“MASTER”, “BACKUP”, “FAULT” or “STOP”)

$4 = The priority value

  • Default state:

    Specify the initial state of VRRP router.

    router{conf:myconfig-vrrp1}master enable|disable
    
    enable

    Specify that the router starts acting as MASTER.

    disable

    Specify that the router starts acting as BACKUP. This is the default behavior.

  • Priority:

    Specify the priority which VRRP router will take during election process.

    router{conf:myconfig-vrrp1}priority <1-255>|default
    
    <1-255>

    Specify the priority, the highest the better.

    default

    Restores the default priority value: 100

  • VRRP MTU:

    Set the MTU of a VRRP instance:

    router{conf:myconfig-vrrp1}vmac-mtu MTU|default

    MTU

    Specify the MTU.

    default

    Restores the default MTU.

VRRP configuration example

router{conf:myconfig}vrrp1
router{conf:myconfig-vrrp1}bind eth2
router{conf:myconfig-vrrp1}master enable
router{conf:myconfig-vrrp1}virtual-route 10.22.0.0/24 eth0
router{conf:myconfig-vrrp1}virtual-ipaddress 10.23.2.102/24
router{conf:myconfig-vrrp1}track eth0 eth2