Page MenuHomeVyOS Platform
Create Task
Maniphest T1972

Allow setting interface name for virtual_ipaddress in VRRP VRID
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

keepalived allows to set an interface in the virtual_ipaddress context that differs from the interface set in the VRID settings. This allows for a dedicated VRRP interface to be used and virtual addresses to be set on another interface.

The configuration would look like this for keepalived:

vrrp_instance VRID100 {
	state BACKUP
	preempt_delay 180

        # this interface is used for VRRP multicast traffic
	interface eth0
	virtual_router_id 100
	priority 100
	advert_int 1
	virtual_ipaddress {
                # this address gets bound to eth1 instead of eth0
		192.0.2.1/24 dev eth1
	}
}

As for the Vyos configuration, I imagine something like this:

high-availability {
    vrrp {
        group VRID100 {
            interface eth0
            preempt-delay 180
            priority 100
            virtual-address 192.0.2.1/24 {
                dev eth1
            }
            vrid 100
        }
    }
}

Due to this configuration, no IPv4 address needs to be configured on eth1 for keepalived to be able to bind the address to it. Only the VRRP interface (here: eth0) needs to have an address configured. This adds security to a setup where you do not control every device in your L2 segment that is connected to eth1 because you would keep the multicast traffic in a secure environment (e. g. a direct cable between two Vyos boxes).

But this setup also depends on track_interface to be set for eth1 and dont_track_primary set in the vrrp_instance context. So in conclusion, the keepalived configuration would look like this:

vrrp_instance VRID100 {
	state BACKUP
	preempt_delay 180

        # this interface is used for VRRP multicast traffic
	interface eth0

        # dont track eth0 
        dont_track_primary
	virtual_router_id 100
	priority 100
	advert_int 1

        # track the desired interface for the virtual addresses
        track_interface {
            eth1
        }
	virtual_ipaddress {
                # this address gets bound to eth1 instead of eth0
		192.0.2.1/24 dev eth1
	}
}

Is this something, that can be done?

Details

Version
-
Is it a breaking change?
Config syntax change (migratable)
Issue type
Feature (new functionality)

Related Objects

Event Timeline

_mrplow created this task.Jan 20 2020, 8:59 AM
pasik subscribed.Jan 20 2020, 9:54 PM
erkin set Issue type to Feature (new functionality).Aug 31 2021, 5:52 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:25 AM
Viacheslav added a project: VyOS 1.4 Sagitta.Dec 29 2021, 3:55 PM
c-po subscribed.Dec 31 2021, 7:59 AM

This sounds like a "peer-link" or "heartbeat-link" between two VyOS boxes. I have yet no idea how the CLI could look like, maybe you have one?

If CLI design is complete it should not be hard to implement this for 1.4

c-po triaged this task as Low priority.Dec 31 2021, 7:59 AM
c-po removed a project: VyOS 1.3 Equuleus (1.3.0).
c-po edited a custom field.
Viacheslav subscribed.EditedDec 31 2021, 12:09 PM

How about starting with a simple interface and allowing to set interface for binding address?

set high-availability vrrp group foo address 203.0.113.1 interface ethX      
Possible completions:
 > ethN         Interfcae used to assign virtual address
 > eth0         
 > eth1         
 > eth2
Viacheslav added a comment.Jan 8 2022, 2:09 PM

PR https://github.com/vyos/vyos-1x/pull/1143

set high-availability vrrp group WAN address 192.0.2.55/24
set high-availability vrrp group WAN address 192.168.222.222/24 interface 'eth2'
set high-availability vrrp group WAN address 198.51.100.111/24
set high-availability vrrp group WAN interface 'eth0'
set high-availability vrrp group WAN no-preempt
set high-availability vrrp group WAN priority '200'
set high-availability vrrp group WAN track-options notrack-main-interface
set high-availability vrrp group WAN track-options track-interface 'eth2'
set high-availability vrrp group WAN track-options track-interface 'eth1'
set high-availability vrrp group WAN vrid '100'

Keepalived configuration:

vrrp_instance WAN {
    state BACKUP
    interface eth0
    virtual_router_id 100
    priority 200
    advert_int 1
    dont_track_primary
    nopreempt
    virtual_ipaddress {
        192.0.2.55/24
        192.168.222.222/24 dev eth2
        198.51.100.111/24
    }
    track_interface {
        eth2
        eth1
    }
}
Restricted Repository Identity mentioned this in rVYOSONEXdfb2b58e00ea: Merge pull request #1143 from sever-sever/T1972.Jan 9 2022, 8:45 PM
Viacheslav mentioned this in rVYOSONEX66d59d9e393c: vrrp: T1972: Ability to set IP address on not vrrp interface.Jan 9 2022, 8:45 PM
Viacheslav closed this task as Resolved.Jan 14 2022, 8:11 PM
Viacheslav claimed this task.
Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.
Alexey.Kirillov subscribed.Feb 13 2022, 9:14 PM

Is there any chance to backport this to 1.3x ?
It makes migration from cluster way easier.

Viacheslav added a comment.Feb 14 2022, 2:18 PM

@Alexey.Kirillov it required more tests and responses from 1.4
Could you test it?

Alexey.Kirillov added a comment.Feb 14 2022, 2:22 PM

sure, I'll test 1.4 rolling
but if this feature simply adds "dev XXX" to virtual_address in vrrp config that shouldn't break much

Alexey.Kirillov added a comment.Feb 14 2022, 2:51 PM

works as expected:

vyos@vyos# run sh ver | head -2

Version:          VyOS 1.4-rolling-202202140317

vyos@vyos# run sh conf com | grep high
set high-availability vrrp group test address 192.168.87.200/24 interface 'eth1.100'
set high-availability vrrp group test address 192.168.88.200/24
set high-availability vrrp group test interface 'eth1'
set high-availability vrrp group test priority '200'
set high-availability vrrp group test vrid '100'
[edit]
vyos@vyos# run sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth1             192.168.88.201/24                 u/u
                 192.168.88.200/24
eth1.100         192.168.87.200/24                 u/u
lo               127.0.0.1/8                       u/u
                 ::1/128
[edit]
vyos@vyos# cat /run/keepalived/keepalived.conf
# Autogenerated by VyOS
# Do not edit this file, all your changes will be lost
# on next commit or reboot

global_defs {
    dynamic_interfaces
    script_user root
    notify_fifo /run/keepalived/keepalived_notify_fifo
    notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py
}

vrrp_instance test {
    state BACKUP
    interface eth1
    virtual_router_id 100
    priority 200
    advert_int 1
    preempt_delay 0
    virtual_ipaddress {
        192.168.87.200/24 dev eth1.100
        192.168.88.200/24
    }
}

also I've tested IP migration - disabled vrrp group on 1st router, and got this on 2nd:

vyos@vyos# run sh vrrp
Name    Interface      VRID  State      Priority  Last Transition
------  -----------  ------  -------  ----------  -----------------
test    eth1            100  MASTER          100  3s
[edit]
vyos@vyos# run sh int
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth1             192.168.88.202/24                 u/u
                 192.168.88.200/24
eth1.100         192.168.87.200/24                 u/u
lo               127.0.0.1/8                       u/u
                 ::1/128
Viacheslav reopened this task as In progress.Feb 16 2022, 2:57 PM
Viacheslav added a project: VyOS 1.3 Equuleus ( 1.3.1).
Viacheslav added a comment.Feb 16 2022, 3:09 PM

PR for 1.3 https://github.com/vyos/vyos-1x/pull/1224

Restricted Repository Identity mentioned this in rVYOSONEXb14e91cb5547: Merge pull request #1224 from sever-sever/T1972-equ.Feb 17 2022, 2:22 PM
Viacheslav mentioned this in rVYOSONEXb99432ee2dc8: vrrp: T1972: Ability to set IP address on not vrrp interface.Feb 17 2022, 2:22 PM
Viacheslav changed the task status from In progress to Needs testing.Feb 17 2022, 3:53 PM
Viacheslav closed this task as Resolved.May 10 2022, 10:37 AM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus ( 1.3.1) board.
dmbaturin mentioned this in 1.3.1.Jun 11 2022, 8:40 AM
dmbaturin mentioned this in 1.3.3.Sep 22 2022, 10:56 AM