VRRP Operating Principles

VRRP State Machine

VRRP defines three states: Initialize, Master, and Backup. Only a router in the Master state is allowed to forward packets sent to a virtual IP address.

Figure 1 shows the transition process of the VRRP states.

Figure 1 Transition process of the VRRP states

**Table 1** VRRP states
State	Description	Transition
Initialize	A VRRP router is unavailable and does not process VRRP Advertisement packets. A router enters the Initialize state when it starts or detects a fault.	After a router receives a Startup event, it changes its status as follows: Changes from Initialize to Master if the router is an IP address owner with a priority of 255. Changes from Initialize to Backup if the router has a priority less than 255.
Master	A router in the Master state provides the following functions: Sends a VRRP Advertisement packet each time the Adver_Interval timer expires. Responds to an ARP request with an ARP reply carrying the virtual MAC address. Forwards IP packets sent to the virtual MAC address. Allows ping to a virtual IP address by default.	The master router changes its status as follows: Changes from Master to Backup if the VRRP priority in a received VRRP Advertisement packet is higher than the local VRRP priority. Remains in the Master state if the VRRP priority in a received VRRP Advertisement packet is the same as the local VRRP priority. Changes from Master to Initialize after it receives a Shutdown event, indicating that the VRRP-enabled interface has been shut down. NOTE: If devices in a VRRP group are in the Master state and a device receives a VRRP Advertisement packet with the same priority as the local VRRP priority, the device compares the IP address in the packet with the local IP address. If the IP address in the packet is greater than the local IP address, the device switches to the Backup state. If the IP address in the packet is less than or equal to the local IP address, the device remains in the Master state.
Backup	A router in the Backup state provides the following functions: Receives VRRP Advertisement packets from the master router and checks whether the master router is working properly based on information in the packets. Does not respond to an ARP request carrying a virtual IP address. Discards IP packets sent to the virtual MAC address. Discards IP packets sent to virtual IP addresses. If, in preemption mode, it receives a VRRP Advertisement packet carrying a VRRP priority lower than the local VRRP priority, it preempts the Master state after a specified preemption delay. If, in non-preemption mode, it receives a VRRP Advertisement packet carrying a VRRP priority lower than the local VRRP priority it remains in the Backup state. Resets the Master_Down timer but does not compare IP addresses if it receives a VRRP Advertisement packet carrying a VRRP priority higher than or equal to the local VRRP priority.	A backup router changes its status as follows: Changes from Backup to Master after it receives a Master_Down timer timeout event. Changes from Backup to Initialize after it receives a Shutdown event, indicating that the VRRP-enabled interface has been shut down.

VRRP Implementation Process

The VRRP implementation process is as follows:

VRRP elects the master router from a VRRP group based on router priorities. Once elected, the master router sends a gratuitous ARP packet carrying the virtual MAC address to its connected device or host to start forwarding traffic.
The master router periodically sends VRRP Advertisement packets to all backup routers in the VRRP group to advertise its configurations (such as the priority) and operating status.
If the master router fails, VRRP elects a new master router from the VRRP group based on router priorities.
The new master router immediately sends a gratuitous ARP packet carrying the virtual MAC address and virtual IP address to update MAC entries on its connected device or host. After the update is complete, user traffic is switched to the new master router. The switching process is transparent to users.
If the original master router recovers and its priority is 255, it immediately switches to the Master state. If the original master router recovers and its priority is lower than 255, it switches to the Backup state and recovers the previously configured priority.
If a backup router's priority is higher than the master router's priority, VRRP determines whether to reelect a new master router, depending on the backup router's working mode (preemption or non-preemption).

To ensure that the master and backup routers work properly, VRRP must implement the following functions:

Master router election

VRRP determines the master or backup role of each router in a VRRP group based on router priorities. VRRP selects the router with the highest priority as the master router.

If routers in the Initialize state receive a Startup event and their priorities are lower than 255, they switch to the Backup state. The router whose Master_Down timer first expires switches to the Master state. The router then sends a VRRP Advertisement packet to other routers in the VRRP group to obtain their priorities.
- If a router finds that the VRRP Advertisement packet carries a priority higher than or equal to its priority, this router remains in the Backup state.
- If a router finds that the VRRP Advertisement packet carries a priority lower than its priority, the router may switch to the Master state or remain in the Backup state, depending on its working mode. If the router is working in preemption mode, it switches to the Master state; if the router is working in non-preemption mode, it remains in the Backup state.

If multiple VRRP routers enter the Master state at the same time, they exchange VRRP Advertisement packets to determine the master or backup role. The VRRP router with the highest priority remains in the Master state, and VRRP routers with lower priorities switch to the Backup state. If these routers have the same priority and the VRRP group is configured on a router's interface with the largest primary IP address, that router becomes the master router.
If a VRRP router is the IP address owner, it immediately switches to the Master state after receiving a Startup event.

Master router status advertisement

The master router periodically sends VRRP Advertisement packets to all backup routers in the VRRP group to advertise its configurations (such as the priority) and operating status. The backup routers determine whether the master router is operating properly based on received VRRP Advertisement packets.
- If the master router gives up the master role (for example, the master router leaves the VRRP group), it sends VRRP Advertisement packets carrying a priority of 0 to the backup routers. Rather than waiting for the Master_Down timer to expire, the backup router with the highest priority switches to the Master state after a specified switching time. This switching time is called Skew_Time, in seconds. The Skew_Time is calculated using the following equation:
  
  Skew_Time = (256 - Backup router's priority)/256
- If the master router fails and cannot send VRRP Advertisement packets, the backup routers cannot immediately detect the master router's operating status. In this situation, the backup router with the highest priority switches to the Master state after the Master_Down timer expires. The Master_Down timer value (in seconds) is calculated using the following equation:
  
  Master_Down timer value = (3 x Adver_Interval timer value) + Skew_Time

If network congestion occurs, a backup router may not receive VRRP Advertisement packets from the master router. If this situation occurs, the backup router proactively switches to the Master state. If the new master router receives a VRRP Advertisement packet from the original master router, the new master router will switch back to the Backup state. As a result, the routers in the VRRP group frequently switch between Master and Backup. You can configure a preemption delay to resolve this issue. After the configuration is complete, the backup router with the highest priority switches to the Master state only when all of the following conditions are met:

The Master_Down timer expires.
The configured preemption delay elapses.
The backup router does not receive VRRP Advertisement packets.

VRRP Authentication

VRRP supports different authentication modes and keys in VRRP Advertisement packets that meet various network security requirements.

On secure networks, you can use the non authentication mode. In this mode, a device does not authenticate VRRP Advertisement packets before sending them. After a peer device receives VRRP Advertisement packets, it does not authenticate them either, but it considers them authentic and valid.
On insecure networks, you can use the simple or message digest algorithm 5 (MD5) authentication mode.
- Simple authentication: Before a device sends a VRRP Advertisement packet, it adds an authentication mode and key to the packet. After a peer device receives the packet, the peer device checks whether the authentication mode and key carried in the packet are the same as the locally configured ones. If they are the same, the peer device considers the packet valid. If they are different, the peer device considers the packet invalid and discards it.
- MD5 authentication: A device uses the MD5 algorithm to encrypt the locally configured authentication key and saves the encrypted authentication key in the Authentication Data field. After receiving a VRRP Advertisement packet, the device uses the MD5 algorithm to encrypt the authentication key carried in the packet and checks packet validity by comparing the encrypted authentication key saved in the Authentication Data field with the encrypted authentication key carried in the VRRP Advertisement packet.

Only VRRPv2 supports authentication.
MD5 authentication is more secure than simple authentication.