Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Virtual Router Redundancy Protocol (VRRP) Configuration Example

0

0

Article ID: KB24681 KB Last Updated: 31 Mar 2020Version: 3.0
Summary:
How to configure Virtual Router Redundancy Protocol (VRRP) on SRX Devices
Solution:

For more information about the VRRP Overview and Configuration refer to Configuring VRRP documentation.
 

Configuration

Master Node:
------------------


- Configure the Virtual IP address which will be same for both Master/Backup devices.
  set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.2/24 vrrp-group 1 virtual-address 1.1.1.1

- Then set the priority of the Master Node which should be greater than the priority of the Backup Node.
  set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.2/24 vrrp-group 1 priority 200

- Then configure the authentication method if you want to have authentication for VRRP.
  set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.2/24 vrrp-group 1 authentication-type md5

- Configure the password for authentication on the Master Node.
  set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.2/24 vrrp-group 1 authentication-key Juniper

- The below accept-data command is used to accept data destined for Virtual IP address.
  set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.2/24 vrrp-group 1 accept-data

- The below command is used to subtract from priority when interface is down. For example with below configuration if fe-0/0/1 goes down then VRRP will failover to Backup Node.
  set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.2/24 vrrp-group 1 track interface fe-0/0/1 priority-cost 200

Backup Node:
-------------------


- On the backup Node again configure the common Virtual IP Address.
  set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.3/24 vrrp-group 1 virtual-address 1.1.1.1

- The priority of the Backup Node should be less than the the priority of the Master.
  set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.3/24 vrrp-group 1 priority 100

- The authentication configured on the Backup Node should match with the authentication of Master Node.
  set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.3/24 vrrp-group 1 authentication-type md5

- The password configure should also be the same.
  set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.3/24 vrrp-group 1 authentication-key Juniper

- This accept data command is required on Backup Node if you want to accept data for the Virtual IP on the Backup Node.
  set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.3/24 vrrp-group 1 accept-data

- As mentioned above 'track' is used for interface monitoring and subtracts the priority cost for priority if the interface goes down. Rememeber even after subtraction the priority cannot go in -ve.
  set interfaces fe-0/0/0 unit 0 family inet address 1.1.1.3/24 vrrp-group 1 track interface fe-0/0/1 priority-cost 100

Verification:


Master Node:
------------------
root@Master> show vrrp brief 
Interface     State       Group   VR state VR Mode   Timer    Type   Address
fe-0/0/0.0    up              1   master   Active      A  0.724 lcl    1.1.1.2        
                                                                vip    1.1.1.1        
root@Master> show vrrp track      
Track Int   State         Speed   VRRP Int   Group   VR State      Current prio
fe-0/0/1.0  up             100m   fe-0/0/0.0     1   master                 200 
																
root@Master> show vrrp detail         
Physical interface: fe-0/0/0, Unit: 0, Address: 1.1.1.2/24
  Index: 75, SNMP ifIndex: 502, VRRP-Traps: disabled
  Interface state: up, Group: 1, State: master, VRRP Mode: Active
  Priority: 200, Advertisement interval: 1, Authentication type: md5
  Delay threshold: 100, Computed send rate: 0
  Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 1.1.1.1            
  Advertisement Timer: 0.185s, Master router: 1.1.1.2
  Virtual router uptime: 20:56:41, Master router uptime: 20:37:55
  Virtual Mac: 00:00:5e:00:01:01 
  Tracking: enabled 
    Current priority: 200, Configured priority: 200 
    Priority hold time: disabled
    Interface tracking: enabled, Interface count: 1  
      Interface     Int state   Int speed   Incurred priority cost
      fe-0/0/1.0    up               100m                       0
    Route tracking: disabled

root@Master> show vrrp extensive   
Interface: fe-0/0/0.0, Interface index :75, Groups: 1, Active :1
  Interface VRRP PDU statistics
    Advertisement sent                       :84472     
    Advertisement received                   :743       
    Packets received                         :743        
    No group match received                  :0         
  Interface VRRP PDU error statistics
    Invalid IPAH next type received          :0         
    Invalid VRRP TTL value received          :0         
    Invalid VRRP version received            :0         
    Invalid VRRP PDU type received           :0         
    Invalid VRRP authentication type received:0         
    Invalid VRRP IP count received           :0         
    Invalid VRRP checksum received           :0

Physical interface: fe-0/0/0, Unit: 0, Address: 1.1.1.2/24
  Index: 75, SNMP ifIndex: 502, VRRP-Traps: disabled
  Interface state: up, Group: 1, State: master, VRRP Mode: Active
  Priority: 200, Advertisement interval: 1, Authentication type: md5
  Delay threshold: 100, Computed send rate: 0
  Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 1.1.1.1            
  Advertisement Timer: 0.665s, Master router: 1.1.1.2
  Virtual router uptime: 20:56:56, Master router uptime: 20:38:10
  Virtual Mac: 00:00:5e:00:01:01 
  Tracking: enabled 
    Current priority: 200, Configured priority: 200 
    Priority hold time: disabled
    Interface tracking: enabled, Interface count: 1  
      Tracked interface: fe-0/0/1.0  
        Interface state: up Speed: 100m
        Incurred priority cost: 0
        Threshold   Priority cost   Active  
        down                  200
    Route tracking: disabled
  Group VRRP PDU statistics
    Advertisement sent                       :84472     
    Advertisement received                   :743       
  Group VRRP PDU error statistics
    Bad authentication Type received         :0         
    Bad password received                    :0         
    Bad MD5 digest received                  :0         
    Bad advertisement timer received         :0         
    Bad VIP count received                   :0         
    Bad VIPADDR received                     :0         
  Group state transition statistics
    Idle to master transitions               :0         
    Idle to backup transitions               :1         
    Backup to master transitions             :2         
    Master to backup transitions             :1           

Backup Node:
-------------------
root@Backup> show vrrp brief 
Interface     State       Group   VR state VR Mode   Timer    Type   Address
fe-0/0/0.0    up              1   backup   Active      D  3.507 lcl    1.1.1.3        
                                                                vip    1.1.1.1        
                                                                mas    1.1.1.2                

root@Backup> show vrrp track 
Track Int   State         Speed   VRRP Int   Group   VR State      Current prio
fe-0/0/1.0  up             100m   fe-0/0/0.0     1   backup                 100 

root@Backup> show vrrp detail 
Physical interface: fe-0/0/0, Unit: 0, Address: 1.1.1.3/24
  Index: 72, SNMP ifIndex: 527, VRRP-Traps: disabled
  Interface state: up, Group: 1, State: backup, VRRP Mode: Active
  Priority: 100, Advertisement interval: 1, Authentication type: md5
  Delay threshold: 100, Computed send rate: 0
  Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 1.1.1.1            
  Dead timer: 2.651s, Master priority: 200, Master router: 1.1.1.2 
  Virtual router uptime: 02:11:02
  Tracking: enabled 
    Current priority: 100, Configured priority: 100 
    Priority hold time: disabled
    Interface tracking: enabled, Interface count: 1  
      Interface     Int state   Int speed   Incurred priority cost
      fe-0/0/1.0    up               100m                       0
    Route tracking: disabled

root@Backup> show vrrp extensive 
Interface: fe-0/0/0.0, Interface index :72, Groups: 1, Active :1
  Interface VRRP PDU statistics
    Advertisement sent                       :0         
    Advertisement received                   :8890      
    Packets received                         :8890       
    No group match received                  :0         
  Interface VRRP PDU error statistics
    Invalid IPAH next type received          :0         
    Invalid VRRP TTL value received          :0         
    Invalid VRRP version received            :0         
    Invalid VRRP PDU type received           :0         
    Invalid VRRP authentication type received:0         
    Invalid VRRP IP count received           :0         
    Invalid VRRP checksum received           :0

Physical interface: fe-0/0/0, Unit: 0, Address: 1.1.1.3/24
  Index: 72, SNMP ifIndex: 527, VRRP-Traps: disabled
  Interface state: up, Group: 1, State: backup, VRRP Mode: Active
  Priority: 100, Advertisement interval: 1, Authentication type: md5
  Delay threshold: 100, Computed send rate: 0
  Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 1.1.1.1            
  Dead timer: 3.339s, Master priority: 200, Master router: 1.1.1.2 
  Virtual router uptime: 02:11:08
  Tracking: enabled 
    Current priority: 100, Configured priority: 100 
    Priority hold time: disabled
    Interface tracking: enabled, Interface count: 1  
      Tracked interface: fe-0/0/0.0  
        Interface state: up Speed: 100m
        Incurred priority cost: 0
        Threshold   Priority cost   Active  
        down                  100
    Route tracking: disabled
  Group VRRP PDU statistics
    Advertisement sent                       :0         
    Advertisement received                   :8890      
  Group VRRP PDU error statistics
    Bad authentication Type received         :0         
    Bad password received                    :0         
    Bad MD5 digest received                  :0         
    Bad advertisement timer received         :0         
    Bad VIP count received                   :0         
    Bad VIPADDR received                     :0         
  Group state transition statistics
    Idle to master transitions               :0         
    Idle to backup transitions               :1         
    Backup to master transitions             :0         
    Master to backup transitions             :0    


Remember VRRP is a Stateless High Availability Protocol for SRX Devices. In order to have a Stateful High Availability please goto KB21905.
Modification History:
2020-03-31: Article reviewed for accuracy; no changes needed.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search