Virtual Router Redundancy Protocol (VRRP) is a kind of routing protocol, it can put theresponsibility of a dynamic virtual router assigned to the
VRRP router in a lan. VRRP router control virtual router IP address called the main router, which is responsible for forwarding data packets to the virtual IP
address. Once the master router is not available, the selection process provides dynamic failover
mechanism, which allows the virtual router IP addresscan be used as the terminal host's default first hop router. The advantage of using VRRP is the availability of a default path of the higher without at each end host configuration dynamic routing or route discovery protocol. The VRRP package in the IP package to send.
Using VRRP, you can manually or DHCP as the default router is
set with a virtual IP address.Virtual IP address sharing between routers, one designated as a router and the other is thebackup router. If the router is not available, the virtual IP address will be mapped to a backuprouter IP
address (the backup router becomes the master router). VRRP can also be used
for load balancing. VRRP is part of IPv4 and IPv6.
VRRP is neither UDP, nor TCP, VRRP packets encapsulated in
the IP package to send, the agreement is 112, the VRRP control message only a notice (advertisement): VRRP. It uses IP packet is encapsulated multicast group address, 224.0.0.18, distribution scope limited to the same lan.
VRRP and ICMP, ARP of these protocols are similar, carrying on IP agreement, the agreement is 112, so to be between three layers of equipment to establish VRRP master-slave relationship must be in the same local area network, two layer exchange. So the twolayer three devices, if the switch port trunk, must be
interconnected, and allow the establishment of master-slave relationship by VLAN. If the two router or firewall, among the general will be connected to a two layer switch, wherein the two layer switch and even the user access switch.
The work principle of VRRP protocol and the CISCO HSRP (Hot Standby Routing Protocol)has many similarities. But the main
difference between the two is in the CISCO HSRP, need to separately configure a IP address as the virtual router external manifestation of address,this address is not interface address any member of a group.
The use of the VRRP protocol, without rebuilding the existing network structure, the maximum protection of the current investment, with minimal overhead, has greatly
improved the network
performance, has important
application value
HSRP: Hot Standby Router Protocol (HSRP:Hot Standby Router Protocol)
Hot Standby Router Protocol (HSRP) is designed to support a specific instances of the IPflow failure cause confusion, and allows the host using a single router transfer will not, can still maintain the connectivity between routers and failure even in the first hop router underactual. In other words, when the source host can not dynamically know first hop router's
IPaddress, the HSRP protocol
can fault protection first hop router not. The agreement contains a variety of router, corresponding to a virtual router. The HSRP protocol supports only onerouter represents the virtual router packet forwarding process. The terminal host will eachdata packet is
forwarded to the virtual router.
Responsible for forwarding router packet called active router (Active Router). Once the active router fails, HSRP will activate the backup router (Standby Routers) to replace the active router. The HSRP protocol
provides a decision to use the active router or backup router mechanisms, and specify a virtual IP address as the default gateway address network system. If the active router fails, the backup router (StandbyRouters) all tasks to undertakeactive router, and will not lead to host communication interruption.
HSRP running on UDP, the port number 1985. The router forwards the source address of packet using the actual IP address, not the virtual address, is based on this point, the mutualrecognition of HSRP router.
The difference between VRRP and HSRP
1 the function of VRRP and HSRP are very
similar, but in terms of security, a major advantage of VRRP on HSRP: it allows establishing authentication mechanism in group VRRP devices. And unlike the HSRP requirements of virtual router is not one of the IP address of the router, but VRRP allows for this to happen (if "with" virtual router
addressrouter is up and running, you should always by the virtual router management - equivalent to HSRP in the active router), but in order to ensure that in the event of failure when the terminal host does not need to learn the MAC address, it specifies the use of the MAC address 00-00-5e-00-01-VRID, where VRID is the virtual router ID (equivalent to a HSRP group identifier).
2 another difference is that VRRP does not use HSRP in a coup or an equivalent message,the state
machine of VRRP is simpler than HSRP, HSRP has 6 states (initial state learning(Initial), (Learn), listening (Listen) state, dialogue (Speak) state, backup (Standby) stateactivity (Active), state) and 8 events, VRRP only 3 states (initial state (Initialize), the main state (Master), backup state (Backup)) and 5 events.
3 HSRP three message, but there are three state can send a message to call (Hello)message / leave (Resign) message / mutation (Coup) message, VRRP has a message,broadcast
message, by the master router timed out notice of its existence, the use of thesemessages can be of various
parameters of virtual router detection, can also be used for the master router election.
4 HSRP message in the UDP
message, and VRRP load in TCP message (HSRP uses UDP1985 port, 224.0.0.2 Hello message is
sent to a multicast address. )
5 VRRP security: VRRP protocol includes three main authentication method: noauthentication; simple cleartext password; authentication using MD5HMACip authentication;
6 strong authentication method using IP authentication
header (AH) protocol. AH is used in the IPSEC the same protocol, AH provides a method for authentication in a VRRP packetand packet header. The use of MD5HMAC that is used to generate hash values using a shared
secret key. The router sends a VRRP packet generation MD5hash value, and put it into to send a notice, when receiving, the receiving party using the key and the same MD5 value, content of the packet and the packet header to calculate hash value, if the results are the same, this news is true from a trusted host, if not the same, it must be discarded, it canprevent attackers from accessing LAN can affect the choice of a notification messageprocess or some other method of interrupt network. In addition, VRRP includes a mechanism to protect VRRP packet will not be another remote network add content (TTLvalue =255, and in an examination), which limits most defects can be local attack. On the other hand, the HSRP used in its message of TTL value is 1. 6. The collapse of VRRPinterval: 3* advertisement
interval + delay time (skew-time).
More information about switch and router, please view : http://demoploo.tumblr.com
没有评论:
发表评论