Configuring a VRRPv3 - RealPars

___________________

___________________

___________________

___________________

___________________

SIMATIC NET

Industrial Remote Communication Remote Networks Configuring a VRRPv3

Getting Started

01/2019 C79000-G8976-C543-01

Preface

Introduction 1

Configure VRRPv3 2

Creating firewall rules for VRRPv3

3

Verify VRRPv3 4

Siemens AG Global Services Information Technology 80200 MÜNCHEN GERMANY

Document order number: C79000-G8976-C543 Ⓟ 01/2019 Subject to change

Copyright © Siemens AG 2019. All rights reserved

Legal information Warning notice system

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are graded according to the degree of danger.

DANGER indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION indicates that minor personal injury can result if proper precautions are not taken.

NOTICE indicates that property damage can result if proper precautions are not taken.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to property damage.

Qualified Personnel The product/system described in this documentation may be operated only by personnel qualified for the specific task in accordance with the relevant documentation, in particular its warning notices and safety instructions. Qualified personnel are those who, based on their training and experience, are capable of identifying risks and avoiding potential hazards when working with these products/systems.

Proper use of Siemens products Note the following:

WARNING Siemens products may only be used for the applications described in the catalog and in the relevant technical documentation. If products and components from other manufacturers are used, these must be recommended or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and maintenance are required to ensure that the products operate safely and without any problems. The permissible ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

Disclaimer of Liability We have reviewed the contents of this publication to ensure consistency with the hardware and software described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the information in this publication is reviewed regularly and any necessary corrections are included in subsequent editions.

Configuring a VRRPv3 Getting Started, 01/2019, C79000-G8976-C543-01 3

Preface

Purpose The configuration of VRRPv3 is shown based on an example.

IP settings for the examples

Note

The IP settings used in the examples were freely chosen.

In a real network, you would need to adapt these IP settings to avoid possible address conflicts.

General naming conventions The designation . . . stands for . . . SCT Security Configuration Tool PST Primary Setup Tool Device M87x

M81x M826 S615

M87x SCALANCE M874-2 SCALANCE M874-3 SCALANCE M876-3 SCALANCE M876-4

M81x SCALANCE M812-1 SCALANCE M816-1

M826 SCALANCE M826-2 M804PB SCALANCE M804PB S615 SCALANCE S615 M-800 SCALANCE M874-2

SCALANCE M874-3 SCALANCE M876-3 SCALANCE M876-4 SCALANCE M812-1 SCALANCE M816-1 SCALANCE M826-2 SCALANCE M804PB

Preface

Configuring a VRRPv3 4 Getting Started, 01/2019, C79000-G8976-C543-01

Further documentation ● Operating instructions

These documents contain information on installing and connecting the products and on approvals for the products. The configuration and the integration of the devices in a network are not described in these instructions.

– SCALANCE M874, M876

Entry ID: 74518712 (https://support.industry.siemens.com/cs/ww/de/view/109475909/en)

– SCALANCE M812, M816


– SCALANCE M804PB:

Entry ID: 109759601 (https://support.industry.siemens.com/cs/ww/en/view/109759601)

– SCALANCE M826:


– SCALANCE S615:


● "Web based Management" configuration manual

This document is intended to provide you with the information you require to commission and configure devices using the Web Based Management.

– SCALANCE M-800:


– SCALANCE S615:


● Configuration manual Command Line Interface

This document contains the CLI commands supported by the devices.

– SCALANCE M-800


– SCALANCE S615


https://support.industry.siemens.com/cs/ww/de/view/109475909/en


https://support.industry.siemens.com/cs/ww/en/view/109759601







Preface


● Industrial Ethernet Security – Basics and Application

This document contains information about working with the SCT (Security Configuration Tool).


● SIMATIC NET Industrial Ethernet Network manual

This document contains information on other SIMATIC NET products that you can operate along with the devices of this product line in an Industrial Ethernet network.


SIMATIC NET manuals You will find SIMATIC NET manuals on the Internet pages of Siemens Industry Online Support:

● using the search function:

Link to Siemens Industry Online Support (https://support.industry.siemens.com/cs/ww/en/ps)

Enter the entry ID of the relevant manual or the article number of the device as the search term.

● In the navigation panel on the left hand side in the area "Industrial Communication":

Link to the area "Industrial Communication" (https://support.industry.siemens.com/cs/ww/en/ps/15247/man)

Go to the required product group and make the following settings: "Entry list" tab, Entry type "manual"

Training, Service & Support You will find information on Training, Service & Support in the multi--language document "DC_support_99.pdf" on the data medium supplied with the documentation.

SIMATIC NET glossary Explanations of many of the specialist terms used in this documentation can be found in the SIMATIC NET glossary.

You will find the SIMATIC NET glossary on the Internet at the following address:

50305045 (https://support.industry.siemens.com/cs/ww/en/view/50305045)



https://support.industry.siemens.com/cs/ww/en/ps

https://support.industry.siemens.com/cs/ww/en/ps/15247/man

https://support.industry.siemens.com/cs/ww/en/view/50305045

Preface


Security information Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks.

In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions constitute one element of such a concept.

Customers are responsible for preventing unauthorized access to their plants, systems, machines and networks. Such systems, machines and components should only be connected to an enterprise network or the internet if and to the extent such a connection is necessary and only when appropriate security measures (e.g. firewalls and/or network segmentation) are in place.

For additional information on industrial security measures that may be implemented, please visit https://www.siemens.com/industrialsecurity.

Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly recommends that product updates are applied as soon as they are available and that the latest product versions are used. Use of product versions that are no longer supported, and failure to apply the latest updates may increase customers’ exposure to cyber threats.

To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under https://www.siemens.com/industrialsecurity.

Firmware The firmware is signed and encrypted. This ensures that only firmware created by Siemens can be downloaded to the device.

Trademarks The following and possibly other names not identified by the registered trademark sign ® are registered trademarks of Siemens AG:

SCALANCE, SINEMA, KEY-PLUG, C-PLUG

https://www.siemens.com/industrialsecurity

https://www.siemens.com/industrialsecurity


Table of contents

Preface ................................................................................................................................................... 3

1 Introduction ............................................................................................................................................. 9

2 Configure VRRPv3 ................................................................................................................................ 13

2.1 Create VRRPv3 router ............................................................................................................ 13

2.2 Configure VRRPv3 router ....................................................................................................... 14

2.3 Specifying the virtual IP address ............................................................................................ 16

2.4 Configuring interface monitoring ............................................................................................. 17

3 Creating firewall rules for VRRPv3 ........................................................................................................ 19

4 Verify VRRPv3 ...................................................................................................................................... 21

Table of contents



Introduction 1

This section contains an example configuration that demonstrates the function of the VRRPv3. With the Virtual Router Redundancy Protocol v3 (VRRPv3), the failure of a router in a network can be countered.

To set up router redundancy, multiple devices are combined into a logical group; these devices together form the virtual router. To clearly assign the devices to a logical group, a VRID is configured for each device. The devices of a logical group must have the same VRID.

One device of the group is declared the master router, while the others are backup routers. A virtual IP address and a MAC address is assigned to this master router. The entire data traffic is handled over the master router.

If the master router fails, the virtual IP address and the MAC address are transferred to the backup router that takes on the role of the master router. This means communication is restored within three seconds.

In this example configuration, station 1 is to be connected to the Internet redundantly to ensure data communication to and from these networks even in case of a router failure.

Setup To set up router redundancy, a SCALANCE M816 and a SCALANCE M874-2 are combined into a logical group (VRID). The SCALANCE M816 is the master router in this setup and the SCALANCE M874-2 is the backup router. On the surface, the logical group looks like one single virtual router.

Station 1 (vlan1) is connected over interface P1, and the Internet is connected over the WAN interface (ppp0) of the devices. During normal operation, the entire data traffic is handled over the WAN interface of the master router.

When one of these interfaces fails on the master router, data traffic is no longer possible over the master router. The connection over the interfaces P1 and ppp0 is therefore monitored. When the status of a monitored interface changes on the master router from "up" to "down", the priority of the master router is reduced. The virtual IP address and the MAC address are transferred to the backup router that takes on the tasks of the master router.

Once connection over the SCALANCE M816 is possible again, the original priority of the VRRP router is restored. The SCALANCE M816 once again takes on the role of master router.

The firewall is enabled on the devices by default. For the incoming VRRP packets to be forwarded to the device, you must configure a firewall rule.

Introduction


Settings used For the configuration example, the devices are given the following IP address settings: VLAN / VRID

Router status Device name

Interface IP address Virtual IP address (Associated IP ad-dress)

vlan1 / 1 Master M816 P1 192.168.100.1 255.255.255.0

192.168.100.15 (VRID 1)

Backup M874 P1 192.168.100.2 255.255.255.0

Introduction


You configure the devices with the PC using Web Based Management. To do so, you must assign the IP address to the PC network adapter. In the extended TCP/IP settings of the network adapter configuration you have the option of adding additional IP addresses. PC IP address Gateway PC1 192.168.100.20 VRID1:Virtual IP address: 192.168.100.15

Note

The IP settings used in the configuration example were freely chosen.

In a real network, you would need to adapt these IP settings to avoid possible address conflicts.

Requirement ● The SCALANCE M87x/SCALANCE M81x is connected to the WAN, refer to "Connecting

SCALANCE M to the WAN".

● The SCALANCE M87x/SCALANCE M81x can be reached via the Admin PC and you are logged in to the WBM as "admin".

Steps in configuration The following steps are required on both devices for configuring VRRPV3:

1. Configure VRRPv3

2. Create firewall rules

3. Verify VRRPv3

Introduction



Configure VRRPv3 2 2.1 Create VRRPv3 router

Procedure 1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Router" tab in the

content area.

2. Select the setting "VRRPv3". Confirm the message with "OK". The procedure is described in the section "Creating firewall rules for VRRP (Page 19)".

3. Select the setting "VRID-Tracking".

4. Click on "Set Values".

5. For "Interface", select the entry "vlan1".

6. Enter 1 for "VRID" and click "Create".

Result A logical group has been created on the devices.

Configure VRRPv3 2.2 Configure VRRPv3 router


2.2 Configure VRRPv3 router This section describes how to configure the VRRPv3 routers. The M816 is configured as master router and the M874 as backup router in this case.

Procedure 1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Configuration" tab in

the content area.

2. For "Interface / VRID" select the entry "vlan1 / 1".

3. Configure the virtual router VRID 1 with the following settings:

M816 M874 Interface / VRID vlan1 / 1 vlan1 / 1 Primary Address 0.0.0.0 0.0.0.0

Because only one subnet is configured on this VLAN, no entry is necessary. The entry is then 0.0.0.0.

Priority 150 100 Reduce Priority 100 0


Result The virtual routers have been created. The configuration is identical on both devices.

Overview of the configuration on M816:

Configure VRRPv3 2.2 Configure VRRPv3 router



Configure VRRPv3 2.3 Specifying the virtual IP address


2.3 Specifying the virtual IP address A virtual IP address is assigned so that the connected devices are not aware of the change. This virtual IP address is entered as gateway address in the devices.

Procedure 1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Address Configuration"

tab in the content area.

2. For "Interface / VRID" select the entry "vlan1 / 1".

3. In "Associated IP Address", enter the IP address "192.168.100.15".

4. Click "Create".


Result The corresponding virtual IP address is specified.

Configure VRRPv3 2.4 Configuring interface monitoring


2.4 Configuring interface monitoring The interfaces P1 and ppp0 are to be monitored.

Procedure 1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Interface Tracking" tab

in the content area.

2. For "Interface" select the interface "P1".

3. For "Track-ID" enter the ID 1.

4. Click the "Create" button.

5. Repeat steps 2 to 4 for the interface "ppp0".

6. For "Track-ID", select "1".

7. Enter "1" for "Track Interface Count" and click "Set Values".

Result The interfaces are tracked.

The "Track Interface Count" 1 means that when the connection status at an interface changes from "up" to "down", the priority of the assigned VRRP router is reduced.

You configure the value by which the priority is reduced on the page "Layer 3 > VRRPv3 > Configuration". When the connection status changes back from "down" to "up", the original priority is restored.

Configure VRRPv3 2.4 Configuring interface monitoring



Creating firewall rules for VRRPv3 3

For the incoming VRRP packets to be forwarded to the device, you must configure the following firewall rule.

Procedure Create IP protocol

1. Click on "Layer 3 > Firewall" in the navigation area and on the "IP Protocol" tab in the content area.

2. For "Protocol Name" enter "VRRP".

3. Click on "Set Values". A new entry is generated in the table.

4. Enter "112" in "Protocol Number".


Creating IP Rules

1. Click on "Security" > "Firewall" in the navigation area and on the "IP Rules" tab in the content area.

2. Click "Create". A new entry is created in the table.

3. Configure the firewall rule for VRID1 with the following settings:

Action Accept From vlan1 / 1 To Device Source (Range) 0.0.0.0/0 (all addresses) Destination (Range) 224.0.0.18/32 Service VRRP


5. Click "Create". A new entry is created in the table.


Creating firewall rules for VRRPv3


Result The IP rules have been created.


Verify VRRPv3 4

Procedure 1. Click on "Layer 3" > "VRRPv3" in the navigation area and on the "Router" tab in the

content area.

Result Overview of the configuration on M816:


For master address, the IP address of M816 is displayed.

Verify VRRPv3


Configuring a VRRPv3 - RealPars

Documents

Transcript of Configuring a VRRPv3 - RealPars