Citrix SD-WAN

Configure Virtual Router Redundancy Protocol

Virtual Router Redundancy Protocol (VRRP) is a widely used protocol that provides device redundancy to eliminate the single point of failure inherent in the static default-routed environment. VRRP allows you to configure two or more routers to form a group. This group appears as a single default gateway with one virtual IP address and one virtual MAC address.

A back-up router automatically takes over if the primary / master router fails. In a VRRP set-up, the master router sends a VRRP packet known as an advertisement to the back-up routers. If the master router stops sending the advertisement, the back-up router sets the interval timer. If no advertisement is received within this hold period, the back-up router initiates the failover routine.

VRRP specifies an election process in which, the router with the highest priority becomes the master. If the priority is the same among the routers, the router with the highest IP address becomes the master. The other routers are in backup state. The election process is initiated again if the master fails, a new router joins the group, or an existing router leaves the group.

VRRP ensures a high availability default path without configuring dynamic routing or router discovery protocols on every end-host.

Citrix SD-WAN release version 10.1 supports VRRP version 2 and version 3 to inter-operate with any third party routers. The SD-WAN appliance acts as a master router and direct the traffic to use the Virtual Path Service between sites. You can configure the SD-WAN appliance as the VRRP master by configuring the Virtual Interface IP as the VRRP IP and by manually setting the priority to a higher value than the peer routers. You can configure the advertisement interval and the preempt option.

The below network diagram shows a Citrix SD-WAN appliance and a router configured as a VRRP group. The SD-WAN appliance is configured to be the master. If the SD-WAN appliance fails, the back-up router takes-over within milliseconds, ensuring that there is no downtime.

SDW VRRP

To configuring the VRRP instance:

  1. In the Configuration Editor, navigate to Sites > Site name > VRRP and click +.

VRRP configuration1

  1. Configure a VRRP instance. Enter the values for the following fields:
  • VRRP group ID: The VRRP group ID. The group ID must be a value range is 1–255. The same group ID must be configured on the back-up routers too.

Note

Currently you can configure up to four groups only.

  • Version: The VRRP protocol version. You can choose between VRRP protocol V2 and V3.
  • Priority: The priority of the Citrix SD-WAN appliance for the VRRP group. The priority range is 1–254. Set this value to maximum (254) to make the SD-WAN appliance the master.

Note

If the router is the owner of the VRRP IP address, the Priority is set to 255 by default.

  • Advertisement Interval: The frequency in milliseconds, with which the VRRP advertisements are sent when the SD-WAN appliance is the master. The default advertisement interval is one second.
  • Authentication Type: You can choose Plain Text to enter an authentication string. The authentication string is sent as a plain text without any encryption in the VRRP Advertisements. Choose None, if you do not want to set up authentication.
  • Authentication Text: The authentication string to be sent in the VRRP Advertisement. This option is enabled if the Authentication Type is Plain Text.

Note

Authentication is supported in VRRPv2 only.

  • Reclaim: enables preemption when the priority of the SD-WAN appliance is highest in the VRRP group. This is used in the VRRP election process.
  • Use V2 Checksum: enables compatibility with third party network devices for VRRPv3. By default, VRRPv3 uses the v3 checksum computation method. Certain third party devices might only support VRRPv2 checksum computation. In such cases, enable this option.

Configure the VRRP IP address. Enter values for the following fields and click Apply.

  • Virtual Interface: The virtual interface to be used for VRRP. Choose one of the configured virtual interfaces.
  • Virtual IP Address: The virtual IP address assigned to the virtual interface. Choose one of the configured virtual IP addresses for the virtual interface.
  • VRRP Router IP: The virtual router IP address for the VRRP group. By default, the Virtual IP address of the SD-WAN appliance is assigned as the virtual router IP address.

    VRRP configuration2

VRRP Statistics

You can view the VRRP statistics under Monitoring > VRRP Protocol.

VRRP5

You can view the following statistics data:

  • VRRP ID: The VRRP group ID
  • Version: The VRRP protocol version.
  • Interface: The virtual interface used for VRRP.
  • State: The VRRP state of the SD-WAN appliance. It indicates whether the appliance is a master or a backup.
  • Priority: The priority of the SD-WAN appliance for a VRRP Group
  • Virtual Router IP: The virtual router IP address for the VRRP group.
  • Advertisement Interval: The frequency of VRRP advertisements.
  • Enable: Select this to enable the VRRP instance on the SD-WAN appliance.
  • Disable: Select this to disable the VRRP instance on the SD-WAN appliance.

Limitations

  • VRRP is supported in Gateway Mode deployment only.
  • You can configure up to four VRRP IDs (VRID).
  • Up to 16 virtual network interfaces can participate in VRID.

High Availability and VRRP

You can significantly reduce network downtime and traffic disruption by leveraging both the high availability and VRRP features on your SD-WAN network. Deploy a pair of Citrix SD-WAN appliance in active/standby roles along with a standby router to form the VRRP group. This group appears as a single default gateway with one virtual IP address and one virtual MAC address.

HA VRRP

The following are 2 cases with the above deployment:

1st case: High availability failover timer on SD-WAN equals the VRRP failover timer.

The expected behavior is high availability switchover to happen before the VRRP switchover, that is the traffic continues to flow through the new Active SD-WAN appliance. In this case SD-WAN continues with the VRRP Master role.

2nd case: High availability failover timer on SD-WAN greater than the VRRP failover timer.

The expected behavior is the VRRP switchover to the router happens, that is the router becomes VRRP Master and traffic might momentarily flow through the router, bypassing the SD-WAN appliance.

But once the high availability switchover happens, SD-WAN again becomes VRRP Master, that is the traffic now flows through the new active SD-WAN appliance.

For more information on high availability deployment modes, see High Availability.

Configure Virtual Router Redundancy Protocol