Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding VRRP Between QFabric Systems

Juniper Networks QFabric systems support the Virtual Router Redundancy Protocol (VRRP). This topic covers:

VRRP Differences on QFabric Systems

Configuring servers on your network with static routes to a default gateway minimizes configuration effort and complexity and reduces processing overhead. However, a failure of the default gateway normally results in a catastrophic event, isolating the servers. Using Virtual Router Redundancy Protocol (VRRP) enables you to dynamically provide alternative gateways for servers if the primary gateway fails.

Switches configured with VRRP share a virtual IP (VIP) address, which is the address you configure as the default route on the servers. In normal VRRP operation, one of the switches is the VRRP primary, meaning that it owns the VIP and is the active default gateway. The other devices are backups. The switches dynamically assign primary and backup roles based on priorities that you configure. If the primary fails, the backup switch with the highest priority becomes the primary and takes ownership of the VIP within a few seconds. This is done without any interaction with the servers.

You can configure two QFabric systems to participate in a VRRP configuration as if they were two standalone switches. However, in normal VRRP operation, only one system can be the primary for a given VRRP group at any one time, which means that only one system can act as a default gateway using the VIP configured for the group. When running VRRP over two QFabric systems, you might want both systems to simultaneously use the VIP to act as a gateway and forward traffic. To achieve this, you can configure a firewall filter to block the VRRP advertisement packets between the QFabric systems on the link between the two network Node groups. When you do this, both QFabric systems act as primary and forward traffic received by the VIP (which is the default gateway address that you configure on servers connected to both QFabric systems). If you use VMware’s vMotion, this configuration allows virtual machines to transition between servers connected to the QFabric systems without updating their default gateway information. For example, a virtual machine running on a server connected to a QFabric system in data center A can transition to a server connected to a QFabric system in data center B without needing to resolve a new gateway IP address and MAC address because both QFabric systems use the same VIP.

Note:

To use a firewall filter to block VRRP traffic, create a firewall term that matches traffic for protocol vrrp and discards that traffic.

Configuration Details

Configuring a VRRP group across two QFabric systems is similar to configuring VRRP on two switches. The main differences are listed here:

  • All the interfaces in both QFabric systems that participate in VRRP must be members of the same VLAN.

  • You must create routed VLAN interfaces (RVIs) in that VLAN on both QFabric systems.

  • The IP addresses that you assign to both RVIs must be in the same subnet.

  • You must configure VRRP on the RVIs.

  • Both RVIs must be members of the same VRRP group. This is what allows the two QFabric systems to share a virtual IP address.

The following tables list the elements of an example VRRP configuration running on two QFabric systems–QFabric system A and QFabric system B. This example is configured so that both QFabric systems act as the VRRP primary for VIP 10.1.1.50/24 and assumes that a firewall filter blocks the VRRP advertisements between the systems. Table 1 lists the required characteristics of the RVIs in the example configuration.

Note:

Most of the configuration settings in the following tables would also apply in a traditional VRRP configuration. However, the advertisement interval and priority settings would need to be different (as noted).

Table 1: RVIs on QFabric systems in example VRRP configuration
RVI on QFabric System A RVI on QFabric System B

vlan.100

vlan.200

Member of VLAN 100. (Note that the VLAN is the same on both QFabric systems.)

Member of VLAN 100

IP address 10.1.1.100/24

IP address 10.1.1.200/24

Member of VRRP group 500

Member of VRRP group 500

Virtual IP address 10.1.1.50/24

Virtual IP address 10.1.1.50/24

You must configure VRRP on the RVIs on both QFabric systems.Table 2 lists the elements of a sample VRRP configuration on each RVI. Note that with the exception of the priority, the parameters must be the same on both systems.

Table 2: Sample VRRP configuration each RVI
VRRP on RVI on QFabric System A VRRP on RVI on QFabric System B

VRRP group 500

VRRP group 500

Virtual IP address 10.1.1.50/24

Virtual IP address 10.1.1.50/24

Advertisement interval 60 seconds. (In a normal VRRP configuration, you would set this interval to be much smaller, such as 1 second. However, in this configuration these packets are blocked by the firewall filter on the interface that connects to QFabric system B, so there is no need to send them frequently.)

Advertisement interval 60 seconds

Authentication type md5

Authentication type md5

Authentication key $9$1.4ElMVb2aGi4aZjkqzFRhSeWx7-wY2aM8

Authentication key $9$1.4ElMVb2aGi4aZjkqzFRhSeWx7-wY2aM8

Priority 254. (In a normal VRRP configuration, this value would be different on the two systems and the system with the higher value would be the primary. However, in this configuration both systems are acting as primary, so you do not have to configure different values.)

Priority 254

Note:

Priority 255 is not supported for RVIs.

Table 3 lists the all the interfaces on QFabric system A in the example configuration and identifies what they connect to.

Table 3: Interfaces on QFabric system A. All interfaces are members of VLAN 100.
VLAN 100 Interfaces on QFabric System A Connects To

vlan.100

vlan.200

Network Node group interface QFA-NNG:xe-0/0/0

QFB-NNG:xe-0/0/0 on QFabric system B

Network Node group interface QFA-NNG:xe-0/0/1

Redundant server Node group interface QFA-RSNG:xe-0/0/0

Redundant server Node group interface QFA-RSNG:xe-0/0/0

Connects to a network Node group interface QFA-NNG:xe-0/0/1

Redundant server Node group interface QFA-RSNG:xe-0/0/1

LAN with servers running virtual machines

Table 4 lists the all the interfaces on QFabric system B in the example configuration and identifies what they connect to.

Table 4: Interfaces on QFabric system B. All interfaces are members of VLAN 100 (same as on QFabric system A).
VLAN 100 Interfaces on QFabric System B Connects To

vlan.200

vlan.100

Network Node group interface QFB-NNG:xe-0/0/0

QFA-NNG:xe-0/0/0 on QFabric system A

Network Node group interface QFB-NNG:xe-0/0/1

Redundant server Node group interface QFB-RSNG:xe-0/0/0

Redundant server Node group interface QFB-RSNG:xe-0/0/0

Connects to a network Node group interface QFB-NNG:xe-0/0/1

Redundant server Node group interface QFB-RSNG:xe-0/0/1

LAN with servers running virtual machines