Go to main content

Configuring an Oracle® Solaris 11.4 System as a Router or a Load Balancer

Exit Print View

Updated: November 2020

Limitations of Layer 2 and Layer 3 VRRP

Both Layer 2 and Layer 3 VRRP have a common limitation that you must configure the Layer 2 and Layer 3 VRRP virtual IP addresses statically. You cannot auto-configure the VRRP virtual IP addresses by using either in.ndpd for IPv6 auto-configuration or dhcpagent for Dynamic Host Configuration Protocol (DHCP) configuration.

    The Layer 2 VRRP feature has the following limitations:

  • Exclusive-IP Zone Support

    When any VRRP router is created in an exclusive-IP zone, the VRRP service svc:/network/vrrp/default is enabled automatically. The VRRP service manages the VRRP router for that specific zone. However, support for an exclusive-IP zone is limited as follows:

    • Because a Virtual Network Interface Card (VNIC) cannot be created inside a non-global zone, you must create the VRRP VNIC in the global zone first. Then assign the VNIC to the non-global zone where the VRRP router resides. You can then create the VRRP router in the non-global zone by using the vrrpadm command.

    • On a single Oracle Solaris system, you cannot create two VRRP routers in different zones to participate with the same virtual router. Oracle Solaris does not allow you to create two VNICs with the same media access control (MAC) address.

  • Interoperations With Other Networking Features

  • Ethernet Over InfiniBand Support

    L2 VRRP does not support the Ethernet over InfiniBand (EoIB) interface. Because every L2 VRRP router is associated with a unique virtual MAC address, the VRRP routers participating with the same virtual router need to use the same virtual MAC address simultaneously, which is not supported by the EoIB interface. L3 VRRP overcomes this limitation as it uses a different MAC address among all the VRRP routers that exist on the same virtual router.

The Layer 3 VRRP feature has the following limitations:

  • Using gratuitous ARP or NDP messages might result in a longer failover time during the election of the master router.

    L3 VRRP uses gratuitous ARP or NDP messages to advertise the new L2 or L3 mapping when the election of the master router changes. This additional requirement of using gratuitous ARP or NDP messages might result in a longer failover time. In some cases, if all the advertised gratuitous ARP or NDP messages are lost, it might take more time for a system to receive the refreshed ARP or NDP entry. Therefore, sending of packets to the new master router might be delayed.

  • Unable to determine the destination MAC address when using ICMP redirects because the same destination MAC address is shared by multiple routers.

    You can use ICMP redirects when you are using VRRP among a group of routers in a network topology that is not symmetric. The IPv4 or IPv6 source address of an ICMPv4 redirect or ICMPv6 redirect must be the address used by the end system when making the next-hop routing decision.

    When an L3 VRRP router needs to use ICMP redirects, the L3 VRRP router checks the destination MAC address (VRRP virtual MAC address) of the packets that need to be redirected. Because the same destination MAC address is shared by multiple routers created over the same interface, the L3 VRRP router cannot determine the destination MAC address. Therefore, it might be useful to disable ICMP redirects when you use L3 VRRP routers. You can disable ICMP redirects by using the send-redirects public IPv4 and IPv6 protocol properties as follows:

    $ ipadm set-prop -m ipv4 -p send-redirects=off
  • VRRP virtual IP addresses cannot be configured automatically either by in.ndpd or DHCP.