Virtual router redundancy protocol
Virtual Router Redundancy Protocol (VRRP) is a widely used protocol that provides device redundancy to eliminate the single point of failure inherent in static default-routed environment.
VRRP allows you to configure two or more routers to form a group. This group appears as a single default gateway with one virtual IP address and one virtual MAC address.
A back-up router automatically takes over if the primary / main router fails. In a VRRP set-up, the main router sends a VRRP packet known as an advertisement to the back-up routers. When the main router stops sending the advertisement, the back-up router sets the interval timer. If no advertisement is received within this hold period, the back-up router starts the failover routine.
VRRP specifies an election process in which, the router with the highest priority becomes the main router. If the priority is the same among the routers, the router with the highest IP address becomes the main router. The other routers are in backup state. The election process is initiated again if the main router fails, a new router joins the group, or an existing router leaves the group.
VRRP ensures a high availability default path without configuring dynamic routing or router discovery protocols on every end-host.
Citrix SD-WAN release version 10.1 supports VRRP version 2 and version 3 to inter-operate with any third party routers. Citrix SD-WAN release version 11.5 supports version 6. The SD-WAN appliance acts as the main router and direct the traffic to use the Virtual Path Service between sites. You can configure the SD-WAN appliance as the VRRP main router by configuring the Virtual Interface IP as the VRRP IP and by manually setting the priority to a higher value than the peer routers. You can configure the advertisement interval and the preempt option.
The below network diagram shows a Citrix SD-WAN appliance and a router configured as a VRRP group. The SD-WAN appliance is configured to be the main router. If the SD-WAN appliance fails, the back-up router takes-over within milliseconds, ensuring that there is no downtime.
To configure VRRP, in the Site configuration page, navigate to Configuration > Advanced Settings > VRRP > click + Add VRRP.
You can edit the following member path parameters:
-
VRRP group ID: The VRRP group ID. The group ID must be a value range is 1–255. The same group ID must be configured on the back-up routers too.
-
Version: The VRRP protocol version. You can choose between VRRP protocol V2 and V3.
-
Priority: The priority of the Citrix SD-WAN appliance for the VRRP group. The priority range is 1–254. Set this value to maximum (254) to make the SD-WAN appliance the main router.
Note
If the router is the owner of the VRRP IP address, the priority is set to 255 by default.
-
Advertisement Interval: The frequency in milliseconds, with which the VRRP advertisements are sent when the SD-WAN appliance is the main router. The default advertisement interval is one second.
-
Authentication Type: You can choose Plain Text to enter an authentication string. The authentication string is sent as a plain text without any encryption in the VRRP Advertisements. Choose None, if you do not want to set up authentication.
-
Authentication Text: The authentication string to be sent in the VRRP Advertisement. This option is enabled if the Authentication Type is Plain Text.
Note
The Authentication Type and Authentication Text parameters are enabled only for VRRP protocol version 2.
-
Use V2 Checksum: Enables compatibility with third party network devices for VRRPv3. By default, VRRPv3 uses the v3 checksum computation method. Certain third party devices might only support VRRPv2 checksum computation. In such cases, enable this option.
-
Virtual Interface: The virtual interface to be used for VRRP. If IPv6 is used, then the virtual interface will have NDP RA enabled by default. Choose one of the configured virtual interfaces.
-
Virtual IP Address: The virtual IP address assigned to the virtual interface. Choose one of the configured virtual IP addresses for the virtual interface. You can specify either the IPv4 or IPv6 address.
-
VRRP Router IP: The virtual router IP address for the VRRP group. By default, the Virtual IP address of the SD-WAN appliance is assigned as the virtual router IP address. The VRRP Virtual Router IP should be a link-local IPv6 address.
Limitations
- VRRP is supported in Gateway Mode deployment only.
- You can configure up to four VRRP IDs (VRID).
- Up to 16 virtual network interfaces can participate in VRID.
High Availability and VRRP
You can significantly reduce network downtime and traffic disruption by applying both the high availability and VRRP features on your SD-WAN network. Deploy a pair of Citrix SD-WAN appliance in active/standby roles along with a standby router to form the VRRP group. This group appears as a single default gateway with one virtual IP address and one virtual MAC address.
The following are 2 cases with the High Availability and VRRP deployment:
1st case: High availability failover timer on SD-WAN equals the VRRP failover timer.
The expected behavior is high availability switchover to happen before the VRRP switchover, that is the traffic continues to flow through the new Active SD-WAN appliance. In this case SD-WAN continues with the VRRP Master role.
2nd case: High availability failover timer on SD-WAN greater than the VRRP failover timer.
The expected behavior is the VRRP switchover to the router happens, that is the router becomes VRRP Master and traffic might momentarily flow through the router, bypassing the SD-WAN appliance.
But once the high availability switchover happens, SD-WAN again becomes VRRP Master, that is the traffic now flows through the new active SD-WAN appliance.
For more information on high availability deployment modes, see High Availability.