In this lesson, we will learn how to configure VRRP on Juniper devices. We will use Juniper SRX box for the lab, however the process for all Junos devices are same. So, let’s start.

We will configure –

  • Enable VRRP
  • Accept-data
  • Preemption
  • Authentication
  • Track
Configure VRRP
Configure VRRP on Juniper Router

Configuration:

Before going deeper, let’s check our current configuration.

Interface:

[edit]
root@R1# show | display set | match interface
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/30
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.2/24

[edit]
root@R2# show | display set | match interface
set interfaces ge-0/0/0 unit 0 family inet address 2.2.2.2/30
set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.3/24

Routing:

[edit]
root@R1# show | display set | match routing
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

[edit]
root@R1# show | display set | match routing
set routing-options static route 0.0.0.0/0 next-hop 2.2.2.1

We have other configuration also. However, let’s move to the main configuration part–

VRRP configuration for Router R1:

According our plan, we will do VRRP configuration on Ge-0/0/1 interface. At Juniper, the VRRP configuration syntax is after the IP address. So, let’s use power of edit command here 🙂

[edit]
root@R1# edit interfaces ge-0/0/1 unit 0 family inet address 10.1.1.2/24

Now, let’s configure VRRP group, which helps to run multiple VRRP. We can use any number between 0-255 as VRRP group.

[edit interfaces ge-0/0/1 unit 0 family inet address 10.1.1.2/24]
root@R1# set vrrp-group 1

At this point, we will configure VRRP parameters.

[edit interfaces ge-0/0/1 unit 0 family inet address 10.1.1.2/24]
root@R1# set vrrp-group 1 virtual-address 10.1.1.1

The virtual address is the gateway for all the LAN users. Now, configure priority to make this router master. We will set priority 150, default is 100.

[edit interfaces ge-0/0/1 unit 0 family inet address 10.1.1.2/24]
root@R1# set vrrp-group 1 priority 150

Accept-data is another important parameter for VRRP. So, what accept-data do?

Without access-data command and less than 255 priority, all packets are blocked except ARP. So, if you want to enable ping/ssh/Telnet/etc on virtual address (VIP), then we need to enable accept data in routers.

[edit interfaces ge-0/0/1 unit 0 family inet address 10.1.1.2/24]
root@R1# set vrrp-group 1 accept-data

Also, let’s enable preemption, which helps to keep R1 master whenever it is Up and Running.

[edit interfaces ge-0/0/1 unit 0 family inet address 10.1.1.2/24]
root@R1# set vrrp-group 1 preempt

For the Authentication, we have two options here. One is md5 (HMAC-MD5-96) and another is simple (Simple password).

[edit interfaces ge-0/0/1 unit 0 family inet address 10.1.1.2/24]
root@Juniper-01# set vrrp-group 1 authentication-type ?
Possible completions:
  md5                  HMAC-MD5-96
  simple               Simple password

We will configure md5 here, so let’s do that. We will use Juniper as our authentication code.

[edit interfaces ge-0/0/1 unit 0 family inet address 10.1.1.2/24]
root@Juniper-01# set vrrp-group 1 authentication-type md5

[edit interfaces ge-0/0/1 unit 0 family inet address 10.1.1.2/24]
root@Juniper-01# set vrrp-group 1 authentication-key Juniper

For the best practice, we also can track our uplink so that if it goes does, the secondary takes over.

[edit interfaces ge-0/0/1 unit 0 family inet address 10.1.1.2/24]
root@Juniper-01# set vrrp-group 1 track interface ge-0/0/0.0 priority-cost 50

So, final configuration for R1 is –

interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.1.1.2/24 {
                    vrrp-group 1 {
                        virtual-address 10.1.1.1;
                        priority 150;
                        preempt;
                        accept-data;
                        authentication-type md5;
                        authentication-key {**************SECRET-DATA}
                        track {
                            interface ge-0/0/0.0 {
                                priority-cost 50;
                            }
                        }
                    }
                }
            }
        }
    }
}

VRRP configuration for Router R2:

interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.1.1.3/24 {
                    vrrp-group 1 {
                        virtual-address 10.1.1.1;
                        priority 110;
                        preempt;
                        accept-data;
                        authentication-type md5;
                        authentication-key {**************SECRET-DATA}
                    }
                }
            }
        }
    }
}

Written by Rajib Kumer Das

I am Rajib Kumer Das, a network engineer with 7+ years of experience in multi-vendor environment. In my current company, I am responsible to take care critical projects and it's support cases. I do have several vendor certificates and have plans to go further.

Leave a Comment

Your email address will not be published. Required fields are marked *