Virtual Router Redundancy Protocol (VRRP).

VRRP is a networking protocol used to associate a group of physical routers to a virtual one, using a master router and backups to increase availability and reliability of routing paths via automatic default gateway selections on an IP subnetwork.

Setting up VRRP

VRRP communicates using multicast, and so each member of the VRRP group does not need to be made aware of each other manually. Let's assume that we wish to set this up using two VyOS routers, router 1 with a private IP of 10.0.0.1/24 on eth0 and router 2 with a private IP of 10.0.0.2/24 on eth0 (the public IP can either be different for each router, or a shared public IP can be used). We will be using a virtual address of 10.0.0.254/24.

The VRRP group needs to be set up on eth0 on router 1. In this scenario we will be using VRRP group 10, there can be a maximum of 255 VRRP groups on a single interface.

edit interfaces ethernet eth0 vrrp vrrp-group 10
set virtual-address 10.10.10.254/24

In this scenario we will set preempt to true. This means that the highest priority router will always become master, even if another router is already master. The priority here will also be set.

set preempt true
set priority 150

We will also enable rfc3768-compatibility.

set rfc3768-compatibility

The method of authentication should then also be set. This will help prevent outside devices from potentially joining the VRRP group. The only authentication types available are plaintext passwords or IP authentication headers. By default no authentication used. Here we will set up a plaintext password.

set authentication type plaintext-password
set authentication password <PASSWORD>

This completes the configuration for router 1. It should also be repeated on router 2, with the priority changed to reflect which router you wish to be master.

commit
save

Using a sync-group

Sync groups are useful if you have more than one VRRP group on your routers. If one interface fails on master, a sync group will cause all interfaces to migrate to the backup router (that are within the same group). Depending on the circumstance, this can be desired as opposed to only have the single interface migrate. A sync group needs to be configured on each VRRP group where it needs to apply.

set interface ethernet eth0 vrrp vrrp-group 10 sync-group <SYNC-GROUP>