Page MenuHomeVyOS Platform
Create Task
Maniphest T8180

VRRP-aware control of IPv6 Router Advertisements (RA)
Open, NormalPublic
Actions

Description

Provide native integration between VRRP state and IPv6 Router Advertisement (RA) behavior, so that only the VRRP MASTER sends RAs, without requiring custom transition scripts.
In a VRRPv3 (IPv6) setup on VyOS, when service router-advert is configured on an interface shared by VRRP peers:
Both MASTER and BACKUP routers run radvd, and both routers send Router Advertisements, so clients receive multiple default routers (multiple link-local next hops).
This happens even though only one router owns the VRRP virtual IPv6 address, where the active router should be the only one advertising itself as the default gateway.
The solution at this point is custom transition scripts.

Ex.
vrrp-lan-master.sh

#!/bin/vbash
source /opt/vyatta/etc/functions/script-template

configure
delete service router-advert interface eth0 no-send-advert
commit
exit

vrrp-lan-backup.sh
#!/bin/vbash
source /opt/vyatta/etc/functions/script-template

configure
set service router-advert interface eth0 no-send-advert
commit
exit
set high-availability vrrp group LAN transition-script backup '/config/scripts/vrrp-lan-backup.sh'
set high-availability vrrp group LAN transition-script fault '/config/scripts/vrrp-lan-backup.sh'
set high-availability vrrp group LAN transition-script master '/config/scripts/vrrp-lan-master.sh'
set service router-advert interface eth0 default-preference 'high'
set service router-advert interface eth0 prefix 2001:db8:acad:1::/64

Details

Version
1.4.4
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Event Timeline

c.faria created this task.Thu, Jan 15, 11:49 AM
c.faria triaged this task as Normal priority.
c.faria created this object in space S1 VyOS Public.
dmbaturin subscribed.EditedFri, Jan 16, 11:55 AM

This can be solved with the already existing source-address option. When it's set, advertisments are sent from a unicast IPv6 address, if it's assigned. If it's not assigned, they are not sent.

  1. Assign a real address:
vyos@vyos# set interfaces ethernet eth0 address 2001:db8:1::1/64 
[edit]
  1. Configure RA with different address (the intended virtual address) as the source address:
vyos@vyos# set service router-advert interface eth0 prefix 2001:db8:1::/64
[edit]
vyos@vyos# set service router-advert interface eth0 interval min 3
[edit]
vyos@vyos# set service router-advert interface eth0 interval max 5
[edit]
vyos@vyos# set service router-advert interface eth0 source-address 2001:db8:1::ff
[edit]
vyos@vyos# commit
[edit]
  1. Check if the system is sending any advertisments — it is not:
vyos@vyos# sudo time tcpdump -i eth0 ip6
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
real	0m 6.52s
user	0m 0.00s
sys	0m 0.00s
[edit]
  1. Add a VRRP setup with the RA source address as a virtual address:
vyos@vyos# set high-availability vrrp group RA-TEST vrid 1
[edit]
vyos@vyos# set high-availability vrrp group RA-TEST address 2001:db8:1::ff/64
[edit]
vyos@vyos# set high-availability vrrp group RA-TEST interface eth0
[edit]
vyos@vyos# commit
[edit]
  1. The system is sending VRRP keepalives and router advertisments from the virtual address:
vyos@vyos# sudo time tcpdump -i eth0 ip6
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:48:49.846157 IP6 fe80::5055:ff:fed1:5506 > ff02::12: VRRPv3, Advertisement, vrid 1, prio 100, intvl 100cs, length 24
11:48:49.847282 IP6 2001:db8:1::ff > ip6-allnodes: ICMP6, neighbor advertisement, tgt is 2001:db8:1::ff, length 32
11:48:49.847522 IP6 2001:db8:1::ff > ip6-allnodes: ICMP6, neighbor advertisement, tgt is 2001:db8:1::ff, length 32
11:48:49.847613 IP6 2001:db8:1::ff > ip6-allnodes: ICMP6, neighbor advertisement, tgt is 2001:db8:1::ff, length 32
11:48:49.849748 IP6 fe80::5055:ff:fed1:5506 > ff02::16: HBH ICMP6, multicast listener report v2, 7 group record(s), length 148
11:48:49.849941 IP6 2001:db8:1::ff > ip6-allnodes: ICMP6, neighbor advertisement, tgt is 2001:db8:1::ff, length 32
11:48:49.849992 IP6 2001:db8:1::ff > ip6-allnodes: ICMP6, neighbor advertisement, tgt is 2001:db8:1::ff, length 32
11:48:50.822247 IP6 fe80::5055:ff:fed1:5506 > ff02::16: HBH ICMP6, multicast listener report v2, 7 group record(s), length 148
11:48:50.849541 IP6 2001:db8:1::ff > ip6-allnodes: ICMP6, router advertisement, length 64
11:48:50.850166 IP6 fe80::5055:ff:fed1:5506 > ff02::12: VRRPv3, Advertisement, vrid 1, prio 100, intvl 100cs, length 24
11:48:51.850456 IP6 fe80::5055:ff:fed1:5506 > ff02::12: VRRPv3, Advertisement, vrid 1, prio 100, intvl 100cs, length 24
11:48:52.851013 IP6 fe80::5055:ff:fed1:5506 > ff02::12: VRRPv3, Advertisement, vrid 1, prio 100, intvl 100cs, length 24
11:48:53.851444 IP6 fe80::5055:ff:fed1:5506 > ff02::12: VRRPv3, Advertisement, vrid 1, prio 100, intvl 100cs, length 24
11:48:54.850318 IP6 2001:db8:1::ff > ip6-allnodes: ICMP6, neighbor advertisement, tgt is 2001:db8:1::ff, length 32
11:48:54.850641 IP6 2001:db8:1::ff > ip6-allnodes: ICMP6, neighbor advertisement, tgt is 2001:db8:1::ff, length 32
11:48:54.850954 IP6 2001:db8:1::ff > ip6-allnodes: ICMP6, neighbor advertisement, tgt is 2001:db8:1::ff, length 32
11:48:54.851266 IP6 2001:db8:1::ff > ip6-allnodes: ICMP6, neighbor advertisement, tgt is 2001:db8:1::ff, length 32
11:48:54.851538 IP6 2001:db8:1::ff > ip6-allnodes: ICMP6, neighbor advertisement, tgt is 2001:db8:1::ff, length 32
11:48:54.851805 IP6 fe80::5055:ff:fed1:5506 > ff02::12: VRRPv3, Advertisement, vrid 1, prio 100, intvl 100cs, length 24
11:48:55.852137 IP6 fe80::5055:ff:fed1:5506 > ff02::12: VRRPv3, Advertisement, vrid 1, prio 100, intvl 100cs, length 24
11:48:55.852611 IP6 2001:db8:1::ff > ip6-allnodes: ICMP6, router advertisement, length 64
^C
21 packets captured
21 packets received by filter
0 packets dropped by kernel
real	0m 8.14s
user	0m 0.00s
sys	0m 0.00s
[edit]
  1. Disable the VRRP group:
vyos@vyos# set high-availability vrrp group RA-TEST disable 
[edit]
vyos@vyos# commit
[edit]
  1. Observe that both VRRP and RA packets are no longer sent:
vyos@vyos# sudo time tcpdump -i eth0 ip6
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
real	0m 9.35s
user	0m 0.00s
sys	0m 0.00s
pasik subscribed.Fri, Jan 16, 12:10 PM