Junos OS Support for VRRPv3

 

The advantage of using VRRPv3 is that VRRPv3 supports both IPv4 and IPv6 address families, whereas VRRPv2 supports only IPv4 addresses.

The following topics describe the Junos OS support for and interoperability of VRRPv3, as well as some differences between VRRPv3 and its precursors:

Junos OS VRRP Support

In releases earlier than Release 12.2, Junos OS supported RFC 3768, Virtual Router Redundancy Protocol (VRRP) (for IPv4) and Internet draft draft-ietf-vrrp-ipv6-spec-08, Virtual Router Redundancy Protocol for IPv6.

VRRPv3 is not supported on routers that use releases earlier than Junos OS Release 12.2 and is also not supported for IPv6 on QFX10000 switches.

Starting with Release 12.2, Junos OS supports:

  • RFC 3768, Virtual Router Redundancy Protocol (VRRP)

  • RFC 5798, Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6

  • RFC 6527, Definitions of Managed Objects for Virtual Router Redundancy Protocol Version 3 (VRRPv3)

Note

VRRP (for IPv6) on routers that use Junos OS Release 12.2 and later releases does not interoperate with VRRP (for IPv6) on routers with earlier Junos OS releases because of the differences in VRRP checksum calculations. See IPv6 VRRP Checksum Behavioral Differences.

IPv6 VRRP Checksum Behavioral Differences

You must consider the following checksum differences when enabling IPv6 VRRP networks:

  • In releases earlier than Junos OS Release 12.2, when VRRP for IPv6 is configured, the VRRP checksum is calculated according to section 5.3.8 of RFC 3768, Virtual Router Redundancy Protocol (VRRP).

  • Starting with Junos OS Release 12.2, when VRRP for IPv6 is configured, irrespective of VRRPv3 being enabled or not, the VRRP checksum is calculated according to section 5.2.8 of RFC 5798, Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6.

    Moreover, the pseudoheader is included only when calculating the IPv6 VRRP checksum. The pseudoheader is not included when calculating the IPv4 VRRP checksum.

    To make the router with Junos OS Release 12.2 (or later Junos OS releases) IPv6 VRRP interoperate with the router running a Junos OS release earlier than Release 12.2, include the checksum-without-pseudoheader configuration statement at the [edit protocols vrrp] hierarchy level in the router running Junos OS Release 12.2 or later.

  • The tcpdump utility in Junos OS Release 12.2 and later calculates the VRRP checksum according to RFC 5798, Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6. Therefore, when tcpdump parses IPv6 VRRP packets that are received from older Junos OS releases (earlier than Junos OS Release 12.2), the bad vrrp cksum message is displayed:

    You can ignore this message because it does not indicate VRRP failure.

VRRP Interoperability

In releases earlier than Junos OS Release 12.2, VRRP (IPv6) followed Internet draft draft-ietf-vrrp-ipv6-spec-08, but checksum was calculated based on RFC 3768 section 5.3.8. Starting with Release 12.2, VRRP (IPv6) follows RFC 5798 and checksum is calculated based on RFC 5798 section 5.2.8. Because of the differences in VRRP checksum calculations, IPv6 VRRP configured on routers that use Junos OS Release 12.2 and later releases does not interoperate with IPv6 VRRP configured in releases before Junos OS Release 12.2.

To make the router with Junos OS Release 12.2 (or later Junos OS releases) IPv6 VRRP interoperate with the router running Junos OS releases earlier than Release 12.2, include the checksum-without-pseudoheader configuration statement at the [edit protocols vrrp] hierarchy level in the router with Junos OS Release 12.2 or later.

Here are some general points to know about VRRP interoperability:

  • If you have configured VRRPv3 (IPv4 or IPv6) on routers that use Junos OS Release 12.2 or later releases, it will not operate with routers that use Junos OS Release 12.1 or earlier releases. This is because only Junos OS Release 12.2 and later releases support VRRPv3.

  • VRRP (IPv4 or IPv6) configured on routers that use Junos OS Release 12.2 and later releases interoperate with VRRP (IPv4 or IPv6) configured on routers that use releases earlier than Junos OS Release 12.2.

  • VRRPv3 for IPv4 does not interoperate with the previous versions of VRRP. If VRRPv2 IPv4 advertisement packets are received by a router on which VRRPv3 is enabled, the router transitions itself to the backup state to avoid creating multiple masters in the network. Due to this behavior, you must be cautious when enabling VRRPv3 on your existing VRRPv2 networks. See Upgrading from VRRPv2 to VRRPv3 for more information.

    Note

    VRRPv3 advertisement packets are ignored by the routers on which previous versions of VRRP are configured.

Upgrading from VRRPv2 to VRRPv3

Enable VRRPv3 in your network only if VRRPv3 can be enabled on all the VRRP routers in your network.

Enable VRRPv3 on your VRRPv2 network only when upgrading from VRRPv2 to VRRPv3. Mixing the two versions of VRRP is not a permanent solution.

Caution

VRRP version change is considered catastrophic and disruptive and may not be hitless. The packet loss duration depends on many factors, such as number of VRRP groups, the interfaces and FPCs involved, and the load of other services and protocols running on the router.

Upgrading from VRRPv2 to VRRPv3 must be done very carefully to avoid traffic loss, due to these considerations:

  • It is not possible to configure VRRPv3 on all routers simultaneously.

  • During the transition period, both VRRPv2 and VRRPv3 operate in the network.

  • Changing VRRP versions restarts the state machine for all VRRP groups.

  • VRRPv3 (for IPv4) routers default to the backup state when they get VRRPv2 (for IPv4) advertisement packets.

  • VRRPv2 (for IPv4) packets are always given the highest priority.

  • Checksum differences between VRRPv2 and VRRPv3 (for IPv6) can create multiple master routers.

    Disable VRRPv3 (for IPv6) on the backup routers while upgrading to avoid creating multiple master routers.

Table 1 illustrates the steps and events that take place during a VRRPv2 to VRRPv3 transition. In Table 1, two VRRPv2 routers, R1 and R2, are configured in two groups, G1 and G2. Router R1 acts as the master for G1, and Router R2 acts as the master for G2.

Table 1: VRRPv2 to VRRPv3 Transition Steps and Events

  1. Upgrade Router R1 with Junos OS Release 12.2 or later.

    • Router R2 becomes the master for both G1 and G2.

    • After the upgrade of Router R1 is completed, Router R1 becomes the master for G1.

    • Router R2 remains the master for G2.

  2. Upgrade Router R2 with Junos OS Release 12.2 or later.

    • Router R1 becomes the master for both G1 and G2.

    • After the upgrade of Router R2 is completed, Router R2 becomes the master for G2.

    • Router R1 remains the master for G1.

For IPv4

For IPv6

  1. Enable VRRPv3 on Router R1.

    • Router R1 becomes the backup for both G1 and G2 because VRRPv2 IPv4 advertisement packets are given higher priority.

  2. Enable VRRPv3 on Router R2.

    • Router R1 becomes the master for G1.

    • Router R2 becomes the master for G2.

  1. Deactivate G1 and G2 on Router R2.

    • G1 and G2 on Router R1 become master.

  2. Enable VRRPv3 on Router R1.

    • Router R1 becomes the master for both G1 and G2.

  3. Enable VRRPv3 on Router R2.

  4. Activate G1 and G2 on Router R2.

    • Router R2 becomes the master for G2.

    • Router R1 remains the master for G1.

When enabling VRRPv3, make sure that VRRPv3 is enabled on all the VRRP routers in the network because VRRPv3 (IPv4) does not interoperate with the previous versions of VRRP. For example, if VRRPv2 IPv4 advertisement packets are received by a router on which VRRPv3 is enabled, the router transitions itself to the backup state to avoid creating multiple masters in the network.

You can enable VRRPv3 by configuring the version-3 statement at the [edit protocols vrrp] hierarchy level (for IPv4 or IPv6 networks). Configure the same protocol version on all VRRP routers on the LAN.

Functionality of VRRPv3 Features

Some Junos OS features differ in VRRPv3 from previous VRRP versions.

VRRPv3 Authentication

When VRRPv3 (for IPv4) is enabled, it does not allow authentication.

  • The authentication-type and authentication-key statements cannot be configured for any VRRP groups.

  • You must use non-VRRP authentication.

VRRPv3 Advertisement Intervals

VRRPv3 (for IPv4 and IPv6) advertisement intervals must be set with the fast-interval statement at the [edit interfaces interface-name unit 0 family inet address ip-address vrrp-group group-name] hierarchy level.

  • Do not use the advertise-interval statement (for IPv4).

  • Do not use the inet6-advertise-interval statement (for IPv6).

Unified ISSU for VRRPv3

Design changes for VRRP unified in-service software upgrade (ISSU) are made in Junos OS Release 15.1 to achieve the following functionality:

  • Maintain protocol adjacency with peer routers during unified ISSU. Protocol adjacency created on peer routers for the router undergoing unified ISSU should not flap, which means that VRRP on the remote peer router should not flap.

  • Maintain interoperability with competitive or complementary equipment.

  • Maintain interoperability with other Junos OS releases and other Juniper Network products.

The values of the following configurations (found at the [edit interfaces interface-name unit 0 family inet address ip-address vrrp-group group-name] hierarchy level) need to be kept at maximum values to support unified ISSU:

  • On the master router, the advertisement interval (the fast-interval statement) needs to be kept at 40950 milliseconds.

  • On the backup router, the master-down interval (the advertisements-threshold statement) needs to be kept at the largest threshold value.

This VRRP unified ISSU design only works for VRRPv3. It is not supported on VRRPv1 or VRRPv2. Other limitations include the following:

  • The VRRP unified ISSU takes care of VRRP only. Packet forwarding is the responsibility of the Packet Forwarding Engine. The Packet Forwarding Engine unified ISSU should ensure uninterrupted traffic flow.

  • VRRP is not affected by any change event during unified ISSU, for example, the switchover of the master Routing Engine to backup or the backup Routing Engine to master.

  • VRRP might stop and discard any running timer before entering into unified ISSU. This means the expected action upon the expiry of the timer never takes place. However, you can defer unified ISSU until the expiration of all running timers.

  • Unified ISSU at both local and remote routers cannot be done simultaneously.

Release History Table
Release
Description
Junos OS Release 12.2 and later releases support VRRPv3.