Hello,
I’m a junior level administrator in a company.
I have implemented VRRP on two routers in one of our infrastructures. See the topology bellow.
The problem is that in order for it to work I had to choose sfp-1 (on both routers) for the VRRP. The result is that VRRP is indeed working but the only problem is that clients on server 1,2,3 if they tcpdump the traffic they can see the VRRP multicast packets.
My question is, using the topology above, how can I make it so that clients cannot see VRRP traffic ?
I have a similar setup but since VRRP (with VLANs under it) introduced a huge overhead causing high packet drops and lag on high throughput (mainly during DDoS attacks - even if they were much smaller than what the uplink could handle) I reconfigured VRRP so that it’s not in the data path but rather it brings up/down the interfaces (among other things in my case - ie: BGP MED values) using the scripting functionality.
My SFP interfaces have only VLANs and the VRRP interface underneath them, I don’t use VLAN id 1 (except for the VRRP communication - see bellow) for client traffic. All clients are on VLANs.
Something like this:
MASTER:
BACKUP:
So, the VRRP interface runs on the default vlan using LAN IPs for its communication and then used the ‘On master’ & ‘On Backup’ scripting functionality to bring the VLAN interfaces up or down (disable/enable).
The net result is that the clients do not see any VRRP traffic and the router can forward 10Gbps without any packet drops or lag.
Also this allows me to configure whichever VLAN I want to failover on the adjacent router without failing over everyone.
One caveat with this setup is that you MUST configure both SFP interfaces on both routers to have the same MAC address, otherwise during failover you will get tons of timeouts on clients until they refresh their ARP cache to get the new MAC address.
I suppose, if you don’t use VLANs, you could set up VRRP on sfp-8 and use the same principle with disable/enable the sfp-1 interface on the master/backup router.
Of course this way, if you have a physical failure (ie: a cable fault) on sfp-1 it won’t failover since VRRP would still have communication with the adjacent router via sfp-8.
Alternatively maybe the switch can drop the multicast VRRP traffic so that clients cannot see it at all? I am not sure how/if that can be done. Surely this depends on the switch vendor and functionality.
Thanks for the detailed response. I will definitely check it out and see what I can do.
Regarding the blocking of multicast traffic on switch level is something that is not desirable, because there are other protocols/services that run with multicast, and block multicast traffic will bring them down.
Again thanks for the tips.