Focus: Technical overview of VRRP, configuration, and troubleshooting

Transcription

1 Technical Reference Guide: Introduction to VRRP Focus: Technical overview of VRRP, configuration, and troubleshooting Table of Contents Using This Book...1 VRRP overiew...1 Monitored Circuit...3 Working with Switches Cisco...3 Nortel...3 Nokia OK applications...4 Checkpoint Firewall...4 NAT...4 Object Creation...4 Troublshooting Tools...4 ICLID...5 TCPDUMP...5 Cheat Sheet...5 Using This Book In this whitepaper, you will find both very high-level and low-level technical information spanning 1 RFC s, clustering, Firewalls, and common misconceptions. But we do leave out extreme detail since this white paper is targeted at the technical to the absolutely non-technical person. While you read this whitepaper, you will notice reader friendly 2 tags to help emphasize key terminology. VRRP Overview? What is VRRP and what does it have to do with High-availability? Redundant... Backup... Hot-standby... VRRP in simple terms is a protocol for high-availability of default routes. When machines on the network need to get out to the internet they require a path, there path in most cases is called a default router default route. The job of the default router is to send request to the next feasible host outside of its own network. VRRP makes it possible to have several routers act as a single virtual router for all hosts. The reason it is called a virtual router is that it uses a virtual IP that can move from router to router if a failure occurs. All the hosts on the network point to this virtual router. 1 RFC is a request for comment. 2 Friendly tag?

2 In a case where the primary 3 (master) router goes down, a peer router 4 (slave) will initiate an election to see who should become the new default router (master). This process would usually take only a moment so the end user usually would not even know something had gone wrong. Correctly implemented a VRRP group of routers can protect the network from critical downtime without having any end-user intervention. What is a cluster? The definition of a cluster can be taken differently in the technology field. When referring to clustering in this whitepaper, it implies a group of system with common configuration acting in concert as one unit. The rule of thumb is that all units have the same hardware capabilities in regards to CPU and memory, but in some cases this can be overlooked. When mixing system of different 5 capacity in a cluster the rule to always follow is that the least powerful member of a cluster can handle the traffic if the master fails. How does VRRP differ from Load-balancing technology?? The biggest difference between VRRP and load-balancing is the intelligence and complexity. As we discussed earlier VRRP is simply a mechanism for making default routes redundant without adding complexity to the network, but more so is the fact that VRRP is designed to only have one member active as a default route in one instance. Although as we will discuss in VRRP design later in the paper, vrrp can be configured to perform unintelligent load-sharing, this is not true load-balancing. 6 Load-balancing as was introduced in IPSO 3.6, is a method of intelligently sharing traffic amongst multiple members of a cluster. The intelligence is based on an algorithm that insures that traffic that starts on one firewall end back on that same firewall, thus avoiding 7 asymmetric routing issues. As we can see in diagram below clustering can be distinguished by the traffic going to two separate members of the three unit cluster. Although we can mimic traffic sharing to a certain degree with VRRP, we can not emulate the intelligence of loadbalancing. The closest VRRP can come to clustering is referred to as load-sharing. In essence load-sharing splits up either source or destination paths. This traffic separation is far from intelligent since traffic will stay on the same firewall based on a static or dynamic route. The only time traffic will move to another member is when a failure occurs. Although this sounds a bit complex we will cover this in the design section. 3 Master the VRRP enabled router with the highest priority 4 Slave any member of a VRRP group with a lower priority then the master 5 Capacity is the ability of a system to handle the same traffic load based on application and traffic requirements. The ability of a system to perform well in one application scenario does not imply that it would do the same for all application. 6 A little technical but a deeper explanation will be forthcoming 7 Asymmetric routing is a scenario where traffic comes through one path but leaves via a different path. This is a problem for some stateful firewalls that can not track the traffic flow. In most cases, stateful firewalls will drop the traffic assuming that something has broken in the communication.

3 Figure 1 Diagram of a cluster When do I use VRRP? Now that we have mapped out the differences between VRRP and Clustering, it should be fairly straight forward to decide when to use each. As a rule of thumb, use VRRP in environment that do not support bandwidth in excess of the appliances capabilities but require 24/7 uptime. 8 RFC 2338 Monitored Circuit defined When configuring monitored circuit essentially each interface regardless of the media type is considered a circuit. With the use of monitored circuit the appliance can track all interfaces in the event of failure. Working with Switches Cisco Configuration consideration when using Cisco switches 8 Request for comment

4 Step 1: Disable spanning-tree (STP) on the switch ports where VRRP is used. Step 2: In the even that STP can not be disabled, enable port-fast. The Syntax is as follows: Set spantree portfast 1/1-2 enabled Step 3: to disable port list allow for quicker port convergence The syntax is as follows: Set port channel port list off Step 4: If the switch appears to be causing VRRP flapping, turn off Nortel Nortel code should be at v1.47, SW v3.1.1 or higher to function correctly with VRRP. Nokia OK VRRP supported applications Checkpoint Firewall NAT A rule of thumb 1. There are two ways of creating static NAT entries for checkpoint FW. a. Create Proxy arp entries using voyager or CLISH b. Or create a monitored circuit using the NAT address as the backup address Object creation 1. Create the firewall objects 2. Create a cluster object 3. add all firewall objects to cluster object 4. In some versions of FW-1 you will need to create a rule for VRRP communication. Note: In NG it is essential to add the virtual addresses to the Firewall cluster object topology. Troubleshooting Tools On the occasion VRRP experiences problems, there are several Nokia tools available in the administrator s arsenal. At the top level of these tools, we have Voyager configuration summary page, CLISH, and Nokia configuration summary tool. These top level tools are meant to give the user a top level view of configurations in case a simple configuration error was made. In the event that configurations look correct the next step are the low-level troubleshooting tools such as Tcpdump and iclid. TCPdump, a packet capturing device that can help confirm correct communication between cluster members, whereas iclid lets the administrator check statistics in real-time for VRRP.

5 9 CLISH 10 ICLID ICLID 1. Command list a. Show vrrp: Good for overall look at vrrp configurations. If there are 4 interfaces participating in VRRP then we should see 4 Master or slave depending on the current appliance role. If one or more interfaces are down, then we should see one less interface visible. b. Show vrrp interface: drilldown to interface statistics, including current costs and delta. c. Show vrrp stat 2. Troubleshooting chart: Prior to working on chart check that the firewall rules or spoofing configuration are correct. Cheat Sheet to Troubleshooting VRRP: Table 1: Assume 4 Interfaces enabled with monitored circuit Interface state Observed notes Possible issue 4 Interfaces in slave status 3 Interfaces in slave 0 in master 1 interfaces in master 3 interface in slave Both units in master state TCPDUMP Priority of unit is lower then secondary unit or equal Priority on interfaces has been reduced equal to the delta of one interface In the case of election between equal weighted units the... Possible hardware issue, insure interface is correctly connected Insure firewall is not dropping connections Switch is not blocking VRRP communications Check TCPdump; insure VRRP hello packets are reaching. TCPDUMP functions: What syntax should be used when troubleshooting tcpdump? General filters: 1. Tcpdump i X = X references an interface. The interface can be listed by using the command ifconfig a. When performing the ifconfig a choose the logical name to substitute for the X. 9 A command line configuration interface for Nokia security appliances was introduced in IPSO A command line interface for getting system stats n

6 IP120 [admin] # ifconfig -a eth-s1p1c0: lname eth-s1p1c0 flags=e7<up,phys_avail,link_avail,broadcast,multicast,autolink> inet mtu 1500 inet /24 broadcast inet /24 broadcast vrrpmac 0:0:5e:0:1:64 phys eth-s1p1 flags=4133<up,link,broadcast,multicast,present> ether 0:a0:8e:21:4:70 speed 100M full duplex Figure 2: The bold logical name is used to substitute for X IP120[admin]# tcpdump -i eth-s1p1c0 tcpdump: listening on eth-s1p1c0 22:40: O > : VRRPv2-adver 20: vrid 100 pri 90 [tos 0xc0] 22:40: I 0:d0:ba:ae:b:7 > 1:80:c2:0:0:0 sap 42 ui/c len= d0ba ae0b d0ba ae0b f 00 22:40: O > : VRRPv2-adver 20: vrid 100 pri 90 [tos 0xc0] Figure 3: simple tcpdump 2. Filtering on Protocol: tcpdump -i eth-s1p1c0 proto vrrp in this scenario we are filtering the protocol for VRRP; we do not see additional irrelevant traffic. See note 11 directional symbols. The format would be tcpdump i eth-s1p1c0 proto vrrp. 3. In the case of VRRP we do not have to modify the capture size that default to 68 bytes. If we need a larger capture we would use the s X 12 -vv, X being the capture size we want. 4. The last filter we need to use would be 13 w Multiple interfaces: tcpdump i eth-s1p1 host & output statement 700 (process id for tcpdump running in background) Start the second interface tcpdump i eth-s1p2 host In the example above, we created a filter to listen only for traffic of host Using multiple interfaces can be very helpful in the case of multiple VRRP 15 transition on different interfaces. TCPDUMP Flags: 1. a attempt to convert IP addresses to names 2. -n do not convert addresses, ports, etc. to names 3. -p do not go promiscuous 4. -v pints more verbose such as TTL 5. Src & dst these two expressions can be used in conjunction with many filters such as host, net, port, etc. 11 The O equals outbound, whereas I implies inbound traffic 12 -vv this flag enables verbose capture 13 -w means write to file. A path and file name should be used 14 The multicast address is specified as the VRRP multicast address 15 A transition implies a movement from one state master to slave or vise versa

7 Dissecting TCPDUMP: 23:20: O > : VRRPv2-adver 20: vrid 100 pri 90 [tos 0xc0] 23:20: O > : VRRPv2-adver 20: vrid 100 pri 90 [tos 0xc0] 23:20: O > : VRRPv2-adver 20: vrid 100 pri 90 [tos 0xc0] 23:20: O > : VRRPv2-adver 20: vrid 100 pri 90 [tos 0xc0] VRRP advertisement. Since this unit believes he is master for Router ID 100, we see the advertisement Outbound to the network. Indicates the interval for advertisement The router ID identifies a vrrp group. All members of a vrrp group should have the identical ID The priority of 90 would imply that the unit has at least one monitored interface down since this unit has a default priority of 100 and a delta of 10, we can verify this by checking iclid or Voyager