| The Linux Virtual Router Project - Informal Description |
Note 5/3/2011: This page is out of date but kept around for historical reasons. These days we are still running a Linux virtual router, but it is based on CentOS 5.x + Linux 2.6 + Quagga.
One of the more exciting projects we have been working on lately is the Linux Virtual Router. Quite simply, it is a group of Linux machines that function together as a single Layer 3 Router, in a redundant fashion so that if the primary machine goes down, another can take over for it transparently. It routes between virtual layer 2 networks, implemented using IEEE 802.1Q VLANs. Please note that this page is a work in progress, and will be updated over the next few weeks with more details as I find time to do so.
Audience
This page is intended for a network administrator familiar with IP routing, Virtual Router Redundancy Protocol, and IEEE 802.1Q VLANs. It is an informal description of the project, and doesn't go into extreme detail.
Goal
We want to build a Layer 3 router that can link several Layer 2 IP subnetworks (implemented as multiple VLANs on a switched network) together. The big problem, though, is lack of redundancy. If the router fails, there is no connectivity. The solution we might come up with first is to simply have two routers. This works great, however we must remember that every host on an IP network must have a default route. Because of this, we have to choose one router or the other for the default route, and if we are unlucky enough to have the one we chose fail, network connectivity is lost for those hosts. Oops.
Virtual Router Redundancy Protocol (RFC 2338) was created to solve this problem. The goal of this project was to implement two things with Linux: (1) A router that can sit on several VLANs and route packets between them, and (2) Combining two or more of these routers into a VRRP virtual router for redundancy.
There exist hardware routers that can do this, and probably faster than a software solution. However, they are expensive, and the performance and reliability requirements of our application are met by this software solution.
Software Used
Hardware Used
- Primary router (sagwa): Dual Pentium III 933Mhz, 256MB RAM, Serverworks LE chipset, SysKonnect Gigabit Ethernet board on a 64 bit PCI bus
- Secondary router (zorba): Pentium III 450Mhz, 512MB RAM+, Intel 440BX chipset, Intel EtherExpress Pro100 ethernet board on a 32 bit PCI bus
+ Yes, we realize the secondary router has more RAM. This is because the primary requires buffered SDRAM, which we don't have a large quantity of. We're up to our necks in unbuffered SDRAM, however.
Configuration summary
- Two or more machines are configured. Linux kernel VLAN support is used to place both of these machines on all the subnets that need routing services, with a seperate "real" IP address on each interface. The Linux VLAN code allows one to assign a custom MAC address to each virtual interface, so this is done. Unique MAC addresses per VLAN are necessary, otherwise vrrpd will not function.
- The machines are connected to seperate ports on a Layer 2 ethernet switch. The port is configured as a tagged trunk and placed on the appropriate vlans.
- A special IP address known as the "virtual default route" is allocated on each subnet. This IP address is the one that all workstations on the various subnets will use as a default route.
- On each machine, a vrrpd is started for each subnet that needs a virtual default route. Each network is assigned a unique VID.
- The routing daemon, zebra, is configured. Configuration varies with the network topology, but in general, zebra is used to supply the routers with external routing information so that packets can enter and leave the network.
So far we have had much success with this project. We have come across several caveats, but have managed to work around them. The stability of the Linux kernel when doing heavy IP routing is quite impressive.
Caveats (and solutions, if any)
- ICMP Redirects - When an ICMP redirect is sent in response to a packet received by a virtual interface, the redirect's source packet is the "real" IP address of the interface, rather than the virtual one. This results in the redirects being ignored by the client. We patched the Linux kernel so that ICMP redirects can be configured to come from alternate IP addresses on an interface.
- Zebra instability - We found that Zebra's OSPF daemon sometimes crashes when interface state changes during operation. Monitoring scripts, which determine when ospfd crashes and restarts it when necessary, are a temporary solution until the OSPF developers solve these stability problems.
SMP mode doesn't work - We can't run both CPU's on the primary virtual router. This is because there are still unresolved locking issues in the VLAN code pertaining to multicast traffic.
- SMP works perfectly! Apparently, the bugs that were in 2.4.17 that caused crashes running SMP and VLAN code have been resolved in version 2.4.19. Not only is it not crashing, but the routing performance has improved somewhat, as the Linux kernel routing code is threaded and thus takes advantage of both CPU's!
- Some network cards may not report or set duplex correctly when talking to the switch. Low performance may be the result of this. The duplex on both ends of the link should always match. To reduce likelyhood of problems, forcing both ends of the link to full duplex is recommended.
Performance
Routing performance is pretty good, considering that it is all software routing and packets are coming in and out of the same physical interface. We have achieved 400-500 Mbps of throughput through the primary router, which has a gigabit interface. CPU load has been found to be minimal at all times.
Interoperability
We have successfully joined a Nortel Networks Accelar router/switch into the virtual router. It takes over properly when the Linux routers go down. Unfortunately, Cisco does not support VRRP (they have their own proprietary version) so we have not been able to test interoperability with Cisco IOS.
Links and Resources
- Kernel patch for Linux 2.4.17 - This patch fixes MTU problems on the Intel 82559 based ethernet cards and allows you to echo a "1" into /proc/sys/net/ipv4/conf/ethx.vlan/icmp_redirect_walk to send ICMP redirects from the next address on that interface. Somewhat of a kludge, but it fixes the ICMP redirect problems listed above.
- Kernel patch for Linux 2.4.19 - (Added 11/5/2002) This patch is identical in function to the one above, but is for Linux Kernel 2.4.19. Kernel 2.4.19 resolves SMP issues running the VLAN code.
Miscellaneous
I am always open to comments and suggestions concerning this project. It is ongoing, as our core network infrastructure at FIU-SCS depends on it.
This page written by John Flynn - flynnj@cs dot fiu dot edu
Sagwa the Siamese Cat (c) Cinegroupe, used without permission 'coz it's cute. :)