Page MenuHomeVyOS Platform

Allow setting interface name for virtual_ipaddress in VRRP VRID
Open, Requires assessmentPublicFEATURE REQUEST

Description

keepalived allows to set an interface in the virtual_ipaddress context that differs from the interface set in the VRID settings. This allows for a dedicated VRRP interface to be used and virtual addresses to be set on another interface.

The configuration would look like this for keepalived:

vrrp_instance VRID100 {
	state BACKUP
	preempt_delay 180

        # this interface is used for VRRP multicast traffic
	interface eth0
	virtual_router_id 100
	priority 100
	advert_int 1
	virtual_ipaddress {
                # this address gets bound to eth1 instead of eth0
		192.0.2.1/24 dev eth1
	}
}

As for the Vyos configuration, I imagine something like this:

high-availability {
    vrrp {
        group VRID100 {
            interface eth0
            preempt-delay 180
            priority 100
            virtual-address 192.0.2.1/24 {
                dev eth1
            }
            vrid 100
        }
    }
}

Due to this configuration, no IPv4 address needs to be configured on eth1 for keepalived to be able to bind the address to it. Only the VRRP interface (here: eth0) needs to have an address configured. This adds security to a setup where you do not control every device in your L2 segment that is connected to eth1 because you would keep the multicast traffic in a secure environment (e. g. a direct cable between two Vyos boxes).

But this setup also depends on track_interface to be set for eth1 and dont_track_primary set in the vrrp_instance context. So in conclusion, the keepalived configuration would look like this:

vrrp_instance VRID100 {
	state BACKUP
	preempt_delay 180

        # this interface is used for VRRP multicast traffic
	interface eth0

        # dont track eth0 
        dont_track_primary
	virtual_router_id 100
	priority 100
	advert_int 1

        # track the desired interface for the virtual addresses
        track_interface {
            eth1
        }
	virtual_ipaddress {
                # this address gets bound to eth1 instead of eth0
		192.0.2.1/24 dev eth1
	}
}

Is this something, that can be done?

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)

Event Timeline

_mrplow created this task.Jan 20 2020, 8:59 AM
pasik added a subscriber: pasik.Jan 20 2020, 9:54 PM