VRRP Configuration for Vyos

Overview of a protocol

In a TCP/IP protocol-based network, a route must be specified in order to ensure communication between devices that are not directly physically connected. There are two methods of specifying routes that are commonly used: one is dynamic learning through routing protocols (e.g., internal routing protocol RIP and OSPF); The other is a static configuration. It is unrealistic to run dynamic routing protocol at each terminal, most of the client operating system platforms do not support dynamic routing protocol, so the static routing configuration of Terminal IP device is generally used to specify one or more default gateways for end devices. The method of static routing simplifies the complexity of network management and reduces the communication overhead of terminal equipment, but it still has one disadvantage: if the router that is the default gateway is damaged, all traffic using the gateway as the next hop host must be interrupted. Even if you have multiple default gateways configured without restarting the end device, You cannot switch to a new gateway. The Virtual Routing Redundancy Protocol (Vsan Router Redundancy Protocol, abbreviated VRRP) can be used to avoid statically specifying the gateway's flaws.

In the VRRP protocol, there are two important sets of concepts: the VRRP router and the virtual router, the master router, and the backup router. VRRP router refers to the router running VRRP, is a physical entity, the virtual router refers to the VRRP protocol created, is a logical concept. A group of VRRP routers work together to form a virtual router that is externally represented as a logical router with a unique fixed IP address and MAC address , routers in the same VRRP group have two mutually exclusive roles: a master router and a backup router, a VRRP group with only one router in the master role, and one or more routers in the backup role. The VRRP protocol uses a selection policy to select one of the router groups as the master, responsible for ARP corresponding and forwarding IP packets, and the other routers in the group are on standby as backup roles. When a master router fails for some reason, the backup router can be upgraded to the primary router after a few seconds of delay. Because this switch is very fast and does not change the IP address and MAC address, it is transparent to the end-user system.

Two working principles

A VRRP router has a unique identity: Vrid, which has a range of 0-255.

There is only one VRRP control message: VRRP advertisement (advertisement), which is encapsulated with an IP multicast packet with a group address of 224.0.0.18 The release scope is limited to the same LAN. This ensures that the Vrid can be reused in different networks. To reduce network bandwidth consumption only the master router can periodically send VRRP notification messages. The backup router launches a new round of VRRP elections after three consecutive notification intervals without receiving a VRRP or receiving a priority 0 announcement ,

In the VRRP router group, the master router is elected by priority, and the priority range in the VRRP protocol is 0-255.

If the IP address of the VRRP router is the same as the interface IP address of the virtual router, it is said that the virtual router is the IP address owner in the VRRP group; the IP address owner automatically has the highest priority: 255. Priority 0 is typically used when the IP address owner actively abandons the master role. The configurable priority range is 1-254. For the same priority of the candidate routers, according to the IP address size order election?

VRRP also provides a priority preemption policy, and if configured, a high-priority backup router will deprive the current low-priority master router and become the new master router.

In order to guarantee the security of VRRP protocol, two kinds of security authentication measures are provided: PlainText authentication and IP header authentication. The plaintext authentication method requires that the same vrid and plaintext password must be provided when joining a VRRP router group. Suitable for avoiding configuration errors in LAN But does not prevent the network listens the way obtains the password. IP header authentication provides a higher level of security that prevents attacks such as message replay and modification.

VRRP configuration of three Vyos

The experimental environment uses a virtualized environment, VYOS-01 and 02 eth0 under the same VLAN 280, eth1 under the same vlan100.

Virtual machine Name	Port	Interface IP	Vrid	Virtual IP	Priority	Preempt
Vyos-01	Eth0	10.10.10.1/30	10	192.168.28.135	150	True
vyos-02	Eth0	10.10.10.2/30			100
Vyos-01	Eth1	192.168.100.3/24	100	192.168.100.1	150	True
vyos-02	Eth1	192.168.100.2/24			100

Configure two sets of VRRP as shown in the table above, one set of Vrid is 10, the other group is 100. Two groups are configured for the same sync group, and another group is randomly switched when a group of VRRP fails over.

The configuration of the vyos-01 is as follows:

Set interfaces Ethernet eth0 address ' 10.10.10.1/30 '--Configure Eth0 interface addresses

Set Interfaces Ethernet eth0 VRRP vrrp-group advertise-interval ' 1 '--Configure VRRP Hello message interval (default, can not be configured)

Set Interfaces Ethernet eth0 VRRP vrrp-group preempt ' true '--configure VRRP preemption mode on

Set Interfaces Ethernet eth0 VRRP vrrp-group priority ' 150 '--configuring VRRP priorities

Set Interfaces Ethernet eth0 VRRP vrrp-group sync-group ' asdf '---configuration vrrp sync Group

Set Interfaces Ethernet eth0 VRRP vrrp-group virtual-address ' 192.168.28.135/24 '--Configure VRRP VIP Address

Set interfaces Ethernet eth1 address ' 192.168.100.3/24 '

Set Interfaces Ethernet eth1 VRRP vrrp-group priority ' 150 '

Set Interfaces Ethernet eth1 VRRP vrrp-group sync-group ' asdf '

Set Interfaces Ethernet eth1 VRRP vrrp-group virtual-address ' 192.168.100.1/24 '

The configuration of the vyos-02 is as follows:

Set interfaces Ethernet eth0 address ' 10.10.10.2/30 '--Configure Eth0 interface addresses

Set Interfaces Ethernet eth0 VRRP vrrp-group advertise-interval ' 1 '--Configure VRRP Hello message interval

Set Interfaces Ethernet eth0 VRRP vrrp-group preempt ' true '--configure VRRP preemption mode on

Set Interfaces Ethernet eth0 VRRP vrrp-group priority ' 100 '--configuring VRRP priorities

Set Interfaces Ethernet eth0 VRRP vrrp-group sync-group ' asdf '---configuration vrrp sync Group

Set Interfaces Ethernet eth0 VRRP vrrp-group virtual-address ' 192.168.28.135/24 '--Configure VRRP VIP Address

Set interfaces Ethernet eth1 address ' 192.168.100.2/24 '

Set Interfaces Ethernet eth1 VRRP vrrp-group priority ' 100 '

Set Interfaces Ethernet eth1 VRRP vrrp-group sync-group ' asdf '

Set Interfaces Ethernet eth1 VRRP vrrp-group virtual-address ' 192.168.100.1/24 '

After the configuration is complete commit and save.

Then look at the VRRP status on both sides as follows

[email protected]: ~$ show VRRP

RFC Addr Last Sync

Interface Group State compliant Owner Transition Group

---------         -----  -----         ---------  -----  ----------  -----

Eth0 MASTER No no 22m52s asdf

Eth1 MASTER No no 22m52s asdf

In the process of switching, there will be three packets lost, this reflects the VRRP hello message in three consecutive cycles after receiving the switch to start VRRP.

Disconnect the vyos-01 eth0 port, and then view the VRRP status as

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/78/6D/wKioL1Z8FHCg-kC8AACgsoiy5b4721.png "title=" QQ picture 20151224234955.png "alt=" Wkiol1z8fhcg-kc8aacgsoiy5b4721.png "/>

As you can see, after the vyos-01 port is down, the two VRRP groups on the vyos-01 become fault state, and the vyos-02 switch to the master state. The synchronization switch was successful.

vyos-01 eth0 Restore and then review the VRRP status as follows:

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/78/6E/wKiom1Z8FKDiqRgVAACiOeGJGgo910.png "title=" Clipboard.png "alt=" Wkiom1z8fkdiqrgvaacioegjggo910.png "/>vyos-01 resumed master, the preemption mode setting was successful.

This article is from the "Andy_youl" blog, make sure to keep this source http://236859.blog.51cto.com/226859/1728063

VRRP Configuration for Vyos