Skip to content

Virtual Router Redundancy Protocol (VRRP)

Jump to bottom
Ido Schimmel edited this page Jul 14, 2019 · 2 revisions
Table of Contents
  1. Introduction
    1. Topology
  2. Example Configuration
    1. Router Configuration
    2. Host Configuration
  3. Known Issues in keepalived
  4. Further Resources

Introduction

When a router that is acting as the default gateway of a host stops functioning, the host will encounter packet loss until the router starts functioning again.

To increase the reliability of the default gateway without performing reconfiguration on the host, a host can use a Virtual Router Redundancy Protocol (VRRP) Router. This virtual router is composed from several routers where only one is actually forwarding packets from the host (the Master router) while the other routers act as Backup routers. The election of the Master router is determined by the VRRP protocol.

Packets addressed to the virtual router are sent to the virtual router's MAC address (IPv4: 00-00-5E-00-01-XX, IPv6: 00-00-5E-00-02-XX), where XX is the virtual router's ID.

In Linux, VRRP is usually implemented by configuring a macvlan with the virtual router's MAC on top of the router interface that is connected to the host / LAN. The macvlan on the Master router is assigned the virtual IP (VIP) that the host uses as its gateway.

This page describes how to configure VRRP in Linux using keepalived in VMAC mode.

Topology

			  .-~~~-.
		  .- ~ ~-(       )_ _
		 /                     ~ -.
		|           network        \
		 \      2001:db8:4::/64   .'
		   ~- . _____+___+___ . -~
             2001:db8:2::/64 |   | 2001:db8:3::/64
            +----------------+   +---------------+
            |                                    |
+-----------+------------+           +-----------+------------+
|          p7            |           |          p56           |
|                        |           |                        |
|        switch1      p11+-----------+p54     switch2         |
|                        |           |                        |
|          p3            |           |          p55           |
+-----------+------------+           +-----------+------------+
            |           2001:db8:1::/64          |
            +-------------+         +------------+
                          |         |
                       +--+---------+--+
                       | ens6     ens7 |
                       |               |
                       |      host     |
                       |               |
                       |               |
                       +---------------+

Example Configuration

The following configuration uses IPv6 for the above topology, but IPv4 is also supported and configured in a similar way.

Router Configuration

sw1$ ip link add name br0 type bridge vlan_filtering 1 mcast_snooping 0
sw1$ ip link set dev swp3 master br0
sw1$ ip link set dev swp11 master br0
sw1$ ip link set dev br0 up
sw1$ ip -6 address add 2001:db8:1::2/64 dev br0
sw1$ ip link set dev swp3 up
sw1$ ip link set dev swp11 up
sw1$ ip link set dev swp7 up
sw1$ ip -6 address add 2001:db8:2::2/64 dev swp7
sw1$ ip -6 route add 2001:db8:4::/64 via 2001:db8:2::1

sw1$ cat /etc/keepalived/keepalived.conf
global_defs {
 vrrp_garp_master_refresh 60
}

vrrp_instance vrrp_test {
 state MASTER
 interface br0
 virtual_router_id 5
 priority 200
 version 3
 advert_int 0.1
 use_vmac
 vmac_xmit_base
 virtual_ipaddress {
  2001:db8:1::100
 }
 notify_master "/usr/local/bin/vmac.sh true br0 00:00:5e:00:02:05 1"
 notify_backup "/usr/local/bin/vmac.sh false br0 00:00:5e:00:02:05 1"
 notify_stop "/usr/local/bin/vmac.sh false br0 00:00:5e:00:02:05 1"
}

sw2$ ip link add name br0 type bridge vlan_filtering 1 mcast_snooping 0
sw2$ ip link set dev swp55 master br0
sw2$ ip link set dev swp54 master br0
sw2$ ip link set dev br0 up
sw2$ ip -6 address add 2001:db8:1::3/64 dev br0
sw2$ ip link set dev swp55 up
sw2$ ip link set dev swp54 up
sw2$ ip link set dev swp56 up
sw2$ ip -6 address add 2001:db8:3::2/64 dev swp56
sw2$ ip -6 route add 2001:db8:4::/64 via 2001:db8:3::1

sw2$ cat /etc/keepalived/keepalived.conf
global_defs {
 vrrp_garp_master_refresh 60
}

vrrp_instance vrrp_test {
 state BACKUP
 interface br0
 virtual_router_id 5
 priority 150
 version 3
 advert_int 0.1
 use_vmac
 vmac_xmit_base
 virtual_ipaddress {
  2001:db8:1::100
 }
 notify_master "/usr/local/bin/vmac.sh true br0 00:00:5e:00:02:05 1"
 notify_backup "/usr/local/bin/vmac.sh false br0 00:00:5e:00:02:05 1"
 notify_stop "/usr/local/bin/vmac.sh false br0 00:00:5e:00:02:05 1"
}

In the above configuration, the virtual router uses an advertisement interval of 0.1 seconds. A longer interval can be used, but it will increase the failover time, as the Backup router waits for three times the advertisement interval before declaring the Master as down.

The vmac_xmit_base option causes VRRP packets to be sent with the MAC of the underlying interface (br0 in the example) instead of the virtual MAC. While it does not conform to the VRRP specification, this option is recommended in practice.

On both switches vmac.sh is the file described below. The purpose of this file is to make sure that packets whose destination MAC is the virtual MAC will be locally received by the Master router. This is done by configuring an FDB entry with the virtual MAC and the local flag.

sw1$ cat /usr/local/bin/vmac.sh
#!/bin/bash

master=$1
bridge=$2
vmac=$3

if [[ "$#" -eq 4 ]]; then
        vlan="vlan $4"
fi

if [[ $master == "true" ]]; then
        bridge fdb replace $vmac dev $bridge self local $vlan
else
        bridge fdb del $vmac dev $bridge self local $vlan
fi

Note: vmac_xmit_base must be specified for IPv6.

Host Configuration

host$ ip link add name bond0 type bond mode active-backup miimon 100 use_carrier 1
host$ ip link set dev ens6 master bond0
host$ ip link set dev ens7 master bond0
host$ ip link set dev ens6 up
host$ ip link set dev ens7 up
host$ ip link set dev bond0 up
host$ ip -6 address add 2001:db8:1::1/64 dev bond0
host$ ip -6 route add 2001:db8:4::/64 via 2001:db8:1::100
host$ ip link set dev bond0 type bond primary ens6

In order to avoid duplicate packets, the host uses an active-backup LAG to connect to both switches. It uses the virtual router (2001:db8:1::100) as a gateway to the 2001:db8:4::/64 network, although in actual deployments this will usually be the default gateway.

Note that the MAC address of the virtual router will be the virtual router MAC (VMAC):

host$ ip -6 neighbour show 2001:db8:1::100
2001:db8:1::100 dev bond0 lladdr 00:00:5e:00:02:05 router REACHABLE

The LSB indicates that the virtual router ID is 5, which is in accordance with the virtual router configuration above.

Known Issues in keepalived

The keepalived configuration listed above is only supported in keepalived version 2.0.6 and later, as it requires these two fixes.

Further Resources

  1. man keepalived
  2. man keepalived.conf
  3. man ip-link

General information

System Maintenance

Network Interface Configuration

Layer 2

Network Virtualization

Layer 3

Debugging

Clone this wiki locally