Introduction to Virtual Router Redundancy Protocol (VRRP)
Virtual Router Redundancy Protocol (VRRP) is an open standard protocol, which has been developed by IEEE (Institute of Electrical and Electronics Engineers). It provides redundancy in a network and eliminates the single point of failure. The protocol groups several nodes into a virtual node, delivering high availability to the network.
When VRRP starts, an election process happens in which one of the nodes becomes “Master” node, while the others become Backup nodes. The Master node owns the virtual IP address and is the active default gateway. There can only be one Master in the network, whereas the number of the Backup nodes can vary.
In the case where the Master node fails, a new election process begins and one of the Backup nodes configured with the highest priority becomes the new Master node. Since the priority field is one byte, the value varies from 0 to 254. The priority value zero (0) has special meaning indicating that the current Master has stopped participating in VRRP. The priorities from 1 to 254 are the acceptable values to use in the configuration.
A virtual router must use 00-00-5E-00-01-XX as its Media Access Control (MAC) address. The last byte of the address (XX) is the Virtual Router Identifier (VRID), which is different for each virtual router in the network.
In this article, I will configure “keepalived” tool and a Cisco’s router to simulate high availability (VRRP) while analyzing the packets with Wireshark. The scenarios can vary, you can even use multiple FreeRADIUS instance with keepalived tool.
Configuring a Cisco’s router for VRRP
Step-1: Enter global configuration mode.
my_router#configure terminal
Step-2: Enter interface configuration mode.
my_router(config)#interface FastEthernet0/0
Step-3: Configure an IP address on the interface.
my_router(config-if)# ip address 192.168.2.11 255.255.255.0
Step-4: Configure a virtual IP address with setting virtual router id (group) to 20.
my_router(config-if)# vrrp 20 ip 192.168.2.100
Step-5: Set the priority to 200.
my_router(config-if)# vrrp 20 priority 200
Step-6: Configure VRRP to send VRRP multicast packets every 30 seconds.
my_router(config-if)#vrrp 20 timers advertise 30
Step-7: Configure authentication type and string.
my_router(config-if)# vrrp 20 authentication text password
Step-8: Enable the interface.
my_router(config-if)#no shutdown
After configuring VRRP on the router, it changes its state from Backup state to Master state. Following output shows the transition.
*Mar 6 23:17:17.499: %VRRP-6-STATECHANGE: Fa0/0 Grp 20 state Init -> Backup *Mar 6 23:17:20.719: %VRRP-6-STATECHANGE: Fa0/0 Grp 20 state Backup -> Master
Step-9: Verify the configuration with the command below.
my_router#show vrrp FastEthernet0/0 - Group 20 State is Master Virtual IP address is 192.168.2.100 Virtual MAC address is 0000.5e00.0114 Advertisement interval is 30.000 sec Preemption enabled Priority is 200 Authentication text "password" Master Router is 192.168.2.11 (local), priority is 200 Master Advertisement interval is 30.000 sec Master Down interval is 90.218 sec
The output shows that the node is in the Master state and uses 192.168.2.100 as virtual IP address. We set the virtual router id (Group) to 20 (in decimal), which is used to create a Virtual MAC address last byte in hex format (Dec → Hex, 20 → 14). Master Down interval is a function of 3 times the advertisement (defaults to 1 second) + the skew time. The Backup node waits for that amount time, then if there are still no advertisements from the Master, it chances its state to Master. The new Master starts to send multicast packets to 224.0.0.18 IP address every 30 seconds.
Below shows the same output in Wireshark.
Configuring keepalived for VRRP
Step-1: Updates the package lists.
sudo apt-get update
Step-2: Install keepalived service.
sudo apt-get install keepalived
Step-3: Confirm that there is “keepalived.conf
” file in /etc/keepalived/
directory.
sudo ls -l /etc/keepalived [sudo] password for kali: total 0
If it doesn’t already exist, we need to create it.
Step-4: Create the configuration file with your preferred text editor.
nano /etc/keepalived/keepalived.conf
Step-5: After creating the configuration file (keepalived.conf
), add the configuration below.
vrrp_instance HA_FreeRADIUS { state MASTER interface eth1 virtual_router_id 20 priority 210 advert_int 30 authentication { auth_type PASS auth_pass password } virtual_ipaddress { 192.168.2.100 } }
The configuration starts with defining a vrrp_instance
block. We set almost the same parameters as we configured for the router between curly braces. Keepalived
will claim Master state in the beginning and finalizes its state during multicast advertisement. Since Keepalived
priority is higher than Cisco’s router, we expect it taking the Master state. The table below summarizes the configuration.
vrrp_instance | VRRP instance name |
---|---|
state | In which state it is going to start |
interface | On which interface VRRP will be enabled |
virtual_router_id | The Virtual Router ID (Group) |
priority | The value used to elect Master node |
advert_int | The time interval between the advertisement |
authentication | Authentication type |
virtual_ipaddress | Virtual Router IP address |
Step-6: Add a new network interface and assign a new IP address from 192.168.2.0/24
subnet.
sudo ifconfig eth1 192.168.2.10 netmask 255.255.255.0
At this point, VRRP should work successfully.
Verify VRRP status and checking the logs
Step-1: After configuring the keepalived server, it should be in Master state since it has the higher priority. To verify that, run the command below on the router.
my_router#show vrrp FastEthernet0/0 - Group 20 State is Backup Virtual IP address is 192.168.2.100 Virtual MAC address is 0000.5e00.0114 Advertisement interval is 30.000 sec Preemption enabled Priority is 200 Authentication text "password" Master Router is 192.168.2.10, priority is 210 Master Advertisement interval is 30.000 sec Master Down interval is 90.218 sec (expires in 66.278 sec)
The output shows that the router is in the Backup state. Remember that this node was in the Master state before we ran keepalived with priority of 210.
Step-2: Verify that keepalived is the Master node on the Kali with “ip add” command.
As it can be seen in the screenshot, eth1 has two IP addresses one of which is the virtual router IP address (192.168.2.100)
The VRRP packets sent by keepalived are below.
Step-3: Check the logs and keepalived service status with the “systemctl status keepalived” command.
# systemctl status keepalived ● keepalived.service - Keepalive Daemon (LVS and VRRP) Loaded: loaded (/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled) Active: active (running) since Sun 2022-03-06 18:32:10 EST; 1min 35s ago Main PID: 1237 (keepalived) Tasks: 2 (limit: 2098) Memory: 4.8M CPU: 25ms CGroup: /system.slice/keepalived.service ├─1237 /usr/sbin/keepalived --dont-fork └─1238 /usr/sbin/keepalived --dont-fork Mar 06 18:32:10 kali Keepalived[1237]: NOTICE: setting config option max_auto_priority should result in better keepalived performa> Mar 06 18:32:10 kali Keepalived[1237]: Starting VRRP child process, pid=1238 Mar 06 18:32:10 kali systemd[1]: keepalived.service: Got notification message from PID 1238, but reception only permitted for main> Mar 06 18:32:10 kali Keepalived[1237]: Startup complete Mar 06 18:32:10 kali systemd[1]: Started Keepalive Daemon (LVS and VRRP). Mar 06 18:32:10 kali Keepalived_vrrp[1238]: (HA_FreeRADIUS) Entering BACKUP STATE (init) Mar 06 18:32:25 kali Keepalived_vrrp[1238]: (HA_FreeRADIUS) received lower priority (200) advert from 192.168.2.11 - discarding Mar 06 18:32:54 kali Keepalived_vrrp[1238]: (HA_FreeRADIUS) received lower priority (200) advert from 192.168.2.11 - discarding Mar 06 18:33:19 kali Keepalived_vrrp[1238]: (HA_FreeRADIUS) received lower priority (200) advert from 192.168.2.11 - discarding Mar 06 18:33:40 kali Keepalived_vrrp[1238]: (HA_FreeRADIUS) Entering MASTER STATE
Step-4: Shutdown eth1 interface of keepalived server and observe if the router becomes the new Master.
# ifconfig eth1 down
Step-5: Go and check the router from console/terminal to see the logs related VRRP. My logs are below.
my_router#
*Mar 6 23:43:09.855: %VRRP-6-STATECHANGE: Fa0/0 Grp 20 state Backup -> Master
The logs show that the router has transitioned from Backup to Master state.
Final thoughts
Organizations in enterprise level need a system that can be continuously operational for a desirably long time. In cases like that, the solution is high availability. Keepalived is one of the best service that can provide this with using VRRP.
References
https://datatracker.ietf.org/doc/html/rfc3768
https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-0/addr_serv/command/reference/ir40asrbook_chapter11.html