Configure VRRP using Keepalived and Cisco’s Router with Examples


Wireshark

Author: Celal Dogan
Reviewer: Deepak Prasad

Introduction to Virtual Router Redundancy Protocol (VRRP)

Virtual Router Redundancy Protocol (VRRP) is an open standard protocol, which has been developed by IEEE (Institute of Electrical and Electronics Engineers).  It provides redundancy in a network and eliminates the single point of failure. The protocol groups several nodes into a virtual node, delivering high availability to the network.

When VRRP starts, an election process happens in which one of the nodes becomes “Master” node, while the others become Backup nodes. The Master node owns the virtual IP address and is the active default gateway. There can only be one Master in the network, whereas the number of the Backup nodes can vary.

In the case where the Master node fails, a new election process begins and one of the Backup nodes configured with the highest priority becomes the new Master node. Since the priority field is one byte, the value varies from 0 to 254. The priority value zero (0) has special meaning indicating that the current Master has stopped participating in VRRP. The priorities from 1 to 254 are the acceptable values to use in the configuration.

A virtual router must use 00-00-5E-00-01-XX as its Media Access Control (MAC) address. The last byte of the address (XX) is the Virtual Router Identifier (VRID), which is different for each virtual router in the network.

Configure VRRP using Keepalived and Cisco’s Router with Examples

In this article, I will configure “keepalived” tool and a Cisco’s router to simulate high availability (VRRP) while analyzing the packets with Wireshark.  The scenarios can vary, you can even  use multiple FreeRADIUS instance with keepalived tool.

 

Configuring a Cisco’s router for VRRP

Step-1: Enter global configuration mode.

my_router#configure terminal

Step-2: Enter interface configuration mode.

my_router(config)#interface FastEthernet0/0

Step-3: Configure an IP address on the interface.

my_router(config-if)# ip address 192.168.2.11 255.255.255.0

Step-4: Configure a virtual IP address with setting virtual router id (group) to 20.

my_router(config-if)# vrrp 20 ip 192.168.2.100

Step-5: Set the priority to 200.

my_router(config-if)# vrrp 20 priority 200

Step-6: Configure VRRP to send VRRP multicast packets every 30 seconds.

my_router(config-if)#vrrp 20 timers advertise 30

Step-7: Configure authentication type and string.

my_router(config-if)# vrrp 20 authentication text password

Step-8: Enable the interface.

my_router(config-if)#no shutdown

After configuring VRRP on the router, it changes its state from Backup state to Master state. Following output shows the transition.

*Mar  6 23:17:17.499: %VRRP-6-STATECHANGE: Fa0/0 Grp 20 state Init -> Backup
*Mar  6 23:17:20.719: %VRRP-6-STATECHANGE: Fa0/0 Grp 20 state Backup -> Master

Step-9: Verify the configuration with the command below.

my_router#show  vrrp
FastEthernet0/0 - Group 20
  State is Master
  Virtual IP address is 192.168.2.100
  Virtual MAC address is 0000.5e00.0114
  Advertisement interval is 30.000 sec
  Preemption enabled
  Priority is 200
  Authentication text "password"
  Master Router is 192.168.2.11 (local), priority is 200
  Master Advertisement interval is 30.000 sec
  Master Down interval is 90.218 sec

The output shows that the node is in the Master state and uses 192.168.2.100 as virtual IP address. We set the virtual router id (Group) to 20 (in decimal), which is used to create a Virtual MAC address last byte in hex format (Dec → Hex, 20 → 14). Master Down interval is a function of 3 times the advertisement (defaults to 1 second) + the skew time. The Backup node waits for that amount time, then if there are still no advertisements from the Master, it chances its state to Master. The new Master starts to send multicast packets to 224.0.0.18 IP address every 30 seconds.

 

Below shows the same output in Wireshark.

Configure VRRP using Keepalived and Cisco’s Router with Examples

 

Configuring keepalived for VRRP

Step-1: Updates the package lists.

sudo apt-get update

Step-2: Install keepalived service.

 sudo apt-get install keepalived

Step-3: Confirm that there is “keepalived.conf” file in /etc/keepalived/ directory.

sudo ls -l /etc/keepalived
[sudo] password for kali:
total 0

If it doesn’t already exist, we need to create it.

Step-4: Create the configuration file with your preferred text editor.

nano /etc/keepalived/keepalived.conf

Step-5: After creating the configuration file (keepalived.conf), add the configuration below.

vrrp_instance HA_FreeRADIUS {
 state MASTER
 interface eth1
 virtual_router_id 20
 priority 210
 advert_int 30

 authentication {
              auth_type PASS
              auth_pass password
        }

 virtual_ipaddress {
 192.168.2.100
 }
}

 

The configuration starts with defining a vrrp_instance block. We set almost the same parameters as we configured for the router between curly braces. Keepalived will claim Master state in the beginning and finalizes its state during multicast advertisement. Since Keepalived priority is higher than Cisco’s router, we expect it taking the Master state. The table below summarizes the configuration.

vrrp_instance VRRP instance name
state In which state it is going to start
interface On which interface VRRP will be enabled
virtual_router_id The Virtual Router ID (Group)
priority The value used to elect Master node
advert_int The time interval between the advertisement
authentication Authentication type
virtual_ipaddress Virtual Router IP address

 

Step-6: Add a new network interface and assign a new IP address from 192.168.2.0/24 subnet.

sudo ifconfig eth1 192.168.2.10 netmask 255.255.255.0

At this point, VRRP should work successfully.

 

Verify VRRP status and checking the logs

Step-1: After configuring the keepalived server, it should be in Master state since it has the higher priority. To verify that, run the command below on the router.

my_router#show  vrrp
FastEthernet0/0 - Group 20
  State is Backup
  Virtual IP address is 192.168.2.100
  Virtual MAC address is 0000.5e00.0114
  Advertisement interval is 30.000 sec
  Preemption enabled
  Priority is 200
  Authentication text "password"
  Master Router is 192.168.2.10, priority is 210
  Master Advertisement interval is 30.000 sec
  Master Down interval is 90.218 sec (expires in 66.278 sec)

 

The output shows that the router is in the Backup state. Remember that this node was in the Master state before we ran keepalived with priority of 210.

 

Step-2:  Verify that keepalived is the Master node on the Kali with “ip add” command.

Configure VRRP using Keepalived and Cisco’s Router with Examples

 

As it can be seen in the screenshot, eth1 has two IP addresses one of which is the virtual router IP address (192.168.2.100)

The VRRP packets sent by keepalived are below.

Configure VRRP using Keepalived and Cisco’s Router with Examples

 

Step-3: Check the logs and keepalived service status with the “systemctl status keepalived” command.

# systemctl status keepalived
● keepalived.service - Keepalive Daemon (LVS and VRRP)
     Loaded: loaded (/lib/systemd/system/keepalived.service; disabled; vendor preset: disabled)
     Active: active (running) since Sun 2022-03-06 18:32:10 EST; 1min 35s ago
   Main PID: 1237 (keepalived)
      Tasks: 2 (limit: 2098)
     Memory: 4.8M
        CPU: 25ms
     CGroup: /system.slice/keepalived.service
             ├─1237 /usr/sbin/keepalived --dont-fork
             └─1238 /usr/sbin/keepalived --dont-fork

Mar 06 18:32:10 kali Keepalived[1237]: NOTICE: setting config option max_auto_priority should result in better keepalived performa>
Mar 06 18:32:10 kali Keepalived[1237]: Starting VRRP child process, pid=1238
Mar 06 18:32:10 kali systemd[1]: keepalived.service: Got notification message from PID 1238, but reception only permitted for main>
Mar 06 18:32:10 kali Keepalived[1237]: Startup complete
Mar 06 18:32:10 kali systemd[1]: Started Keepalive Daemon (LVS and VRRP).
Mar 06 18:32:10 kali Keepalived_vrrp[1238]: (HA_FreeRADIUS) Entering BACKUP STATE (init)
Mar 06 18:32:25 kali Keepalived_vrrp[1238]: (HA_FreeRADIUS) received lower priority (200) advert from 192.168.2.11 - discarding
Mar 06 18:32:54 kali Keepalived_vrrp[1238]: (HA_FreeRADIUS) received lower priority (200) advert from 192.168.2.11 - discarding
Mar 06 18:33:19 kali Keepalived_vrrp[1238]: (HA_FreeRADIUS) received lower priority (200) advert from 192.168.2.11 - discarding
Mar 06 18:33:40 kali Keepalived_vrrp[1238]: (HA_FreeRADIUS) Entering MASTER STATE

 

Step-4: Shutdown eth1 interface of keepalived server and observe if the router becomes the new Master.

# ifconfig eth1 down

 

Step-5: Go and check the router from console/terminal to see the logs related VRRP. My logs are below.

my_router#
*Mar  6 23:43:09.855: %VRRP-6-STATECHANGE: Fa0/0 Grp 20 state Backup -> Master

The logs show that the router has transitioned from Backup to Master state.

 

Final thoughts

Organizations in enterprise level need a system that can be continuously operational for a desirably long time. In cases like that, the solution is high availability. Keepalived is one of the best service that can provide this with using VRRP.

 

References

https://datatracker.ietf.org/doc/html/rfc3768
https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-0/addr_serv/command/reference/ir40asrbook_chapter11.html

 

Celal Dogan

Celal Dogan

He is proficient in System Administration, Python, Computer Network, Network Engineering, PHP, Web Testing, Penetration Testing, Wireshark, RADIUS, Cisco Router, TCP/IP, Kali Linux, OSPF, NPS, and Multiprotocol BGP. You can connect with him on his LinkedIn Profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment