Objective
Set up network gateway redundancy using the VRRP (Virtual Router Redundancy Protocol) via Keepalived to ensure service continuity.
Prerequisites
- 2 Linux Debian/Ubuntu servers (routers)
- Network configured (same VLAN)
- Root access
VRRP Principle
VRRP is a standardised protocol (RFC 5798) allowing multiple routers to share a virtual IP (VIP). Only one router is active (MASTER), the others are on standby (BACKUP). If the MASTER fails, a BACKUP automatically takes over.
Key concepts
- VIP (Virtual IP): Shared IP address (e.g. 192.168.1.1)
- VRID (Virtual Router ID): VRRP group identifier (1-255)
- Priority: Router priority (1-255, higher = MASTER)
- Multicast: Communication between routers via 224.0.0.18
- Preemption: Automatic re-acquisition of MASTER role by the priority router
Example architecture
Clients (192.168.1.0/24) ↓ Gateway: 192.168.1.1 (VIP) ↓ ROUTER1 ROUTER2 192.168.1.10 192.168.1.20 Priority: 120 Priority: 100 [MASTER] [BACKUP]
Full Procedure
Step 1: Install Keepalived
On ROUTER1 and ROUTER2:
sudo apt update sudo apt install keepalived -y
Step 2: Enable IP routing
On both routers:
# Immediate activation sudo sysctl -w net.ipv4.ip_forward=1 # Persistent after reboot echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf sudo sysctl -p
Step 3: Configure ROUTER1 (MASTER)
Create the file /etc/keepalived/keepalived.conf:
sudo nano /etc/keepalived/keepalived.conf
Content:
! VRRP configuration for ROUTER1 (MASTER) vrrp_instance VRRP_GATEWAY { state MASTER # Initial role interface eth0 # Network interface virtual_router_id 10 # VRID (identical on ROUTER2) priority 120 # High priority = MASTER advert_int 1 # Advertisement interval (1 sec) authentication { auth_type PASS auth_pass SecurePassword123 # Max 8 characters } virtual_ipaddress { 192.168.1.1/24 # Shared VIP } # Health check script (optional) track_script { chk_gateway } } # Healthcheck script vrrp_script chk_gateway { script "/usr/bin/killall -0 keepalived" interval 2 # Check every 2 sec weight -20 # Priority reduction on failure }
Step 4: Configure ROUTER2 (BACKUP)
Create the file /etc/keepalived/keepalived.conf:
sudo nano /etc/keepalived/keepalived.conf
Content:
! VRRP configuration for ROUTER2 (BACKUP) vrrp_instance VRRP_GATEWAY { state BACKUP # Initial role interface eth0 # Network interface virtual_router_id 10 # Same VRID as ROUTER1 priority 100 # Low priority = BACKUP advert_int 1 # Advertisement interval (1 sec) authentication { auth_type PASS auth_pass SecurePassword123 # Same as ROUTER1 } virtual_ipaddress { 192.168.1.1/24 # Same VIP } track_script { chk_gateway } } vrrp_script chk_gateway { script "/usr/bin/killall -0 keepalived" interval 2 weight -20 }
Step 5: Start the services
On ROUTER1 and ROUTER2:
# Enable the service at boot sudo systemctl enable keepalived # Start sudo systemctl start keepalived # Check status sudo systemctl status keepalived
Verification
1. Verify VIP assignment
On ROUTER1 (MASTER):
ip addr show eth0
Should display IP 192.168.1.1 in addition to 192.168.1.10
On ROUTER2 (BACKUP):
ip addr show eth0
Should only display 192.168.1.20 (not the VIP)
2. Check Keepalived logs
sudo journalctl -u keepalived -f
On ROUTER1, should display: "Entering MASTER STATE"
3. Connectivity test from a client
ping 192.168.1.1
4. Check ARP table
arp -a | grep 192.168.1.1
The MAC address should be that of the VRRP virtual interface (00:00:5e:00:01:0a)
5. Failover test
- From a client, start a continuous ping:
ping -t 192.168.1.1
- On ROUTER1 (MASTER), stop Keepalived:
sudo systemctl stop keepalived
- Observe:
- 1-2 ping packets lost
- ROUTER2 becomes MASTER
- Ping resumes automatically
6. Check logs on ROUTER2
sudo journalctl -u keepalived -n 20
Should display: "Entering MASTER STATE"
Advanced Options
Disable preemption
By default, if ROUTER1 becomes available again with its priority 120, it reclaims the MASTER role. To disable this behaviour:
vrrp_instance VRRP_GATEWAY {
nopreempt
...
}
Advanced monitoring with custom script
Create a more robust healthcheck script:
sudo nano /etc/keepalived/check_gateway.sh
#!/bin/bash # Check Internet connectivity via ping ping -c 1 -W 1 8.8.8.8 > /dev/null 2>&1 if [ $? -eq 0 ]; then exit 0 # OK else exit 1 # Failure fi
sudo chmod +x /etc/keepalived/check_gateway.sh
Modify keepalived.conf:
vrrp_script chk_gateway {
script "/etc/keepalived/check_gateway.sh"
interval 5
weight -30
}
Security and Limitations
Points to watch
- VRRP authentication: The password is transmitted in plaintext (multicast 224.0.0.18). For enhanced security, isolate the router VLAN.
- Split-brain: If communication between routers is lost (but both are active), there is a risk of having two simultaneous MASTERs.
- No state replication: VRRP does not replicate active connections (TCP sessions). Established connections are lost during failover.
- Layer 3 only: VRRP manages the virtual IP, not dynamic routing (OSPF/BGP).
Firewall configuration
Allow VRRP traffic (protocol 112):
sudo iptables -A INPUT -p vrrp -j ACCEPT
sudo iptables -A OUTPUT -p vrrp -j ACCEPT
# Save
sudo apt install iptables-persistent -y
sudo netfilter-persistent save
Key Points for the BTS Oral
- VRRP (RFC 5798): gateway redundancy protocol
- VIP: virtual IP shared between routers
- VRID: VRRP group identifier (1-255)
- Priority: determines the MASTER/BACKUP role
- Multicast 224.0.0.18: VRRP communication channel
- Preemption: automatic re-acquisition of MASTER role
- Keepalived: VRRP implementation on Linux
- Failover: 1-2 seconds (depends on advert_int)
- Stateless: no state synchronisation between routers
- Difference from HSRP: VRRP = open standard, HSRP = Cisco proprietary
Important distinction:
VRRP ≠ dynamic routing. VRRP manages only the VIP. For complete redundancy, combine with OSPF or BGP for inter-network routing.
VRRP ≠ dynamic routing. VRRP manages only the VIP. For complete redundancy, combine with OSPF or BGP for inter-network routing.