Understanding and applying

routing high availability on

Mikrotik Routers

Trainer: Diego Alejandro Rivera Montao

Santa Cruz - Bolivia
Class Objectives
The students will learn about Mikrotiks routing high
availability features.
The students will learn about Virtual Router Redundancy
Protocol and the way the protocol works.
The students will learn how to configure VRRP features on a
Mikrotik device.
The students will implement a redundancy VRRP network by
applying the learnt configurations on Mikrotik devices
Labs during the class
Use VRRP, providing one of them as the main
router and the other as the backup for a LAN
network.
Use VRRP to permit access to Internet or other
networks.
Monitor interfaces to guarantee proper use of
VRRP.
Equipment needed for labs
Two students will work together for each lab.
They will need:
2 Mikrotik routers.
1 Switch with at least 3 free ports
1 Laptop
3 short patch cords (1m) and 2 large patch cords (at least 3m)
Virtual Router Redundancy Protocol
Virtual Router Redundancy Protocol (VRRP) is a IEEE standard
protocol.
Gateway redundancy protocol.
As its name suggest, it allows the user to create a virtual router.
One virtual router is created.
There would be two roles for routers:
Master router
Backup router
VRRP Router roles
Master router:
Packet forwarding and ARP reponses,
It will send hello messages to all the other routers in the
VRRP group.
Backup router:
This router waits for hello messages from the master
router.
In case the master fails, it will takes the master role.
VRRP Router states
A Router have different states:
Initialize In this state the router waits for a startup event
Backup In this state the router monitors the availability and state
of the Master router.
Master The router will forward any packets coming from the
clients.
VRRP Group

All routers involved should be part of a VRRP Group.

Each group is defined by Virtual Router ID (VRID).
The master router is selected from all the routers with
the same VRID.
Each router is able to support multiple VRIDs.
VRRP Priority

Priority is a value configured on every router that is

part of a VRRP group.
It is a value from 0 to 255.
The higher value has a better priority.
It is a value configured manually on each router.
How is the Master router selected

All routers advertise their VRID and priority value.

The router with the higher priority will take the master role and
all the other routers will change from Init state to backup.

In case two router got the same priority, the master would be
defined by the highest primary IP address will be selected.
Lab 1 VRRP configuration on two Mikrotik
Routers
Lets reset both routers with no default configuration.
Replace X with your group number
Lab 1 - Steps

What are we gonna do for this lab?

1. Configure a unique IP address on each router.

2. Create a VRRP interface on each of routers.

3. Configure the virtual IP address on both routers.

4. Test.
Lab 1 Step 1
What IP address must we configure on each router?
Router 1: 192.168.X.2/24
Router 2: 192.168.X.3/24
X must be replaced by the group number assigned by
the trainer.
These addresses must be configured on the interface
ether2
Lab 1 Step 2
Lets create a VRRP interface. Menu access is shown in this image:

What values should be configure:

VRRP interface name: vrrp2
VRID: 2
Priority: 120 for Router 1; 110 for Router 2
Lab 1 Step 3
Add a second IP address.
The address will be 192.168.X.1/32. X is still the group number given
by the trainer
The virtual IP address must configured and assigned to the new VRRP
interface.
Same on both routers
Lab 1 Step 4
We can easily test the lab by executing a ping command and send packets
to the default Gateway IP address 192.168.X.1.
Ping should be done continuously while both routers are connected at the
same time.
First, lets disconnect Router1. Ping could be lost, but should work back.
Router 2 has changed to Master state.
Test connecting Router 1 back and check who is the Master router now.
We are done with this first lab.
Lets backup the configurations!!!
VRRP MAC Address
Check ARP Dynamic entries on your computer.
Here is an output from the LAB:

MAC address 00-00-5E-00-01-0A is a MAC address used by VRRP

protocol to define its group number.
All VRRP Virtual Routers have a MAC address of 00-00-5E-00-01-XX.
The XX value would be replaced by the VRID configured on the
routers (0A hex for our VRID of 10)
Lab 2 VRRP and Internet access
For VRRP networks to work properly, some tracking must be applied.
Here is an example:
Lab 2 - Steps

What are we gonna do for this lab?

1. Create a second vrrp interface on both routers (all steps applied on Lab

2. Test

3. Configure tracking for VRRP1

4. Test

5. Configure tracking for VRRP2

6. Test
Lab 2 Step 1
Lets keep the configuration from Lab 1
We configure a new IP address, virtual IP address and VRRP interface.
1. VRID: X (number assigned by trainer)

2. IP addresses: according to diagram on prior slide

3. Priority: same priority as vrrp2

4. VRRP Interface name: vrrp1

Lab 2 Step 2
Lets try a ping test from the Client to the Router 0 (192.168.1.254).
Make it continuous.
Everything is working.
Now lets try turning Router1 off. What happens?
At this point, Router2 will take Master roles. Check it on VRRP interfaces
status.
Lets bring Router1 back.
Now lets try testing with only one interface down.
Lab 2 Step 2
Disconnect ether1 in Router1

It does not work.

Lab 2 Step 2
Let check VRRP status on Router 2. It is showing as Master for VRRP1,
but it is still Backup in VRRP2.
The clients is still sending all its request to Router1, and Router1
drops all of them as it does not has access to any other network.
To fix this we need to do some tracking.
Lets connect everything back.
Lab 2 - Tracking
We got two ways to track the status of network access on a router:
Interface tracking: Act on an interface status change. (i.e. Interface changes to
down status)
Ping tracking: Act on the result of a ping test to a certain IP.
Lab 2 - Tracking
Interface tracking is not to be completly trusted.
A router could have all its interfaces working, but network access
could be blocked. Lets use ping tracking whenever we can.

Lets think back to the LAB. If connectiong from Router1 to Router0 is

down, it means internet access drop.
We could set up a ping test to monitor if we have connection to
Router0.
Lab 2 Tracking
Mikrotik routers have an embedded tool for this: Netwatch.
Netwatch allows us to setup an script for Up and Down
status on a ping test.
What do we need to do to make our network work? Make
sure that Router1 stops being Master when one of its
interfaces is down.
How do we make sure a router loses its master state? Make
sure it has lower priority than the backup routers.
Lab 2 Step 3
Lets create a Netwatch rule. Use this information:
Host: Router0
Interval: to be defined by the group (Explain why you select
that Interval value)
Timeout: to be defined by the group (Explain why you select
that Interval value)
Up script: LAN1UP
Down script: LAN1DOWN
Lab 2 Step 3
When ping to 192.168.1.254 fails, priority on VRRP 2 will
change to 1. In case ping works, it will get its priority back to
120.
Lets create two scripts:
Both scripts need only read and write policies
LAN1DOWN:
/interface vrrp set priority=1 [find name=vrrp2]
LAN1UP:
/interface vrrp set priority=120 [find name=vrrp2]
Lab 2- Step 4
Lets test it once again:

It works!
Lab 2 Step 5
Lets try a different interface:

It does not work. We need to do something similar for the LAN2.

Lab 2 Step 5
On LAN we dont have any fixed device, so we cant trust on ping
tracking. We will have to use interface tracking.
For this lets create an script that would check the LAN interface and
change priority on VRRP group 2:
:if ([/interface get [find name="ether2"] running]=true) do={:if ([/interface vrrp
get [find name="vrrp2"] priority]=1) do={:interface vrrp set 1 priority=120}}
else={:interface vrrp set 1 priority=1}
Lab 2 Step 5
Lets create a script and a scheduler to run it every 2 seconds.

Try ping test again. It works!

Q&A
Thank you