Routing
Reply
Trusted Contributor
acecanal
Posts: 149
Registered: ‎07-05-2011
0

Re: vrrp

  The vrrp inherit, is like a "follow the leader". There will be the active or main group under an active interface. If this is master, the follower vrrp group will be master regardless its priority.

 

  But if the active group becomes backup for any reason, a tracked interface, or route, the follower will become backup.

 

  Your configuration is right except you mix fe- and ge- interfaces, and you use different vrrp address and unit ip address for group 1.

   Anyway this is not the right way to do this.

 

   It will be good if you can use two interfaces. The objetive is to be sure master is down before backup router becomes master. If you only use one interface you will lost the vrrp hellos from master on both vrrp groups, and both will become master.

   If you use a single interface, then its better to use several units and vlan tagging. If there is some problems with the fws vlan then your backup router will not become master if the active vrrp vlan is working properly.

 

   On the other hand, for sure you will have at least two interfaces in your routers. If use vrrp on both interfaces, then will syncronize vrrp state for all vrrp groups and interfaces.

  You will have to track the secondary interfaces under your active group. Think you have a "incoming" interface from network, and a "outgoing" interface to fws. You want this router to be master at the "incoming" interface only if "outgoing" interface is up. Active vrrp will be the incoming interface, and the outgoing will inherit the active status. If any of this two interfaces goes down, both will become backup.

 

 

 

 

  

 

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Contributor
alex14
Posts: 12
Registered: ‎04-10-2012
0

Re: vrrp

the config i showed you has one interface on each router. both routers are using the fe-0/3/2 interface.

 

the router is also serving as the firewall and the interfaces would be connected to our internal network and going to the switch.

 

so if that is the case, are you saying i should still have two interfaces on each router for the vrrp?

so would the interface going to the internet connection outside also need vrrp setup?

Trusted Contributor
acecanal
Posts: 149
Registered: ‎07-05-2011
0

Re: vrrp

Im sorry, i understand that you plug your vrrp interface to the Fw. So your fe-0/2/0 interface connect to the inner network, and fe-0/3/0, fe-0/3/1 to the outter network through fws. Could you post a show vrrp and show interface terse while having the problems ?.

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Contributor
alex14
Posts: 12
Registered: ‎04-10-2012
0

Re: vrrp

these two m7i routers are also serving as our firewall.

yes fe-0/2/0 is connected to the inside and fe-0/3/0 and fe-0/3/1 are connected to the outside.

 

here is the relevant show interface terse, theres other interfaces that are used also:


Interface               Admin Link Proto    Local                 Remote
fe-0/2/0                up    up  
fe-0/2/0.0              up    up   inet     192.168.0.1/24
                                   multiservice
fe-0/3/0                up    up  
fe-0/3/0.0              up    up   inet     4.x.x.x/30  
                                   multiservice
ge-1/3/0                up    up  
ge-1/3/0.0              up    up   inet     209.x.x.x/30
                                   multiservice

show vrrp:

Interface     State       Group   VR state VR Mode   Timer    Type   Address
fe-0/2/0.0    up            100   backup   Active      D  3.219 lcl   192.168.0.1                                                                                         vip    192.168.0.100  
                                                                                         mas    192.168.0.2 

Trusted Contributor
acecanal
Posts: 149
Registered: ‎07-05-2011
0

Re: vrrp

Hi Alex, need show vrrp from both routers while both are master.

 

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Contributor
alex14
Posts: 12
Registered: ‎04-10-2012
0

Re: vrrp

[ Edited ]

the master/master issue only happens when i use the fortigate firewall as a bypass.

 

there is also bgp setup between the two routers and one interface is used for crossover.

 

normally, the backup is fine as a backup and the master is below

 

current master show vrrp:

Interface     State       Group   VR state VR Mode   Timer    Type   Address
fe-0/2/0.0    up            100   master   Active      A  0.660 lcl    192.168.0.2 
                                                                vip    192.168.0.200

Trusted Contributor
acecanal
Posts: 149
Registered: ‎07-05-2011
0

Re: vrrp

 It would be good if you could post a diagram of where is the fortigate. If this is between the routers then fw is filtering the vrrp frames. There should be always connectivity throught the vrrp interfaces.

 

 Anyway, you could use the connection between those router as the vrrp primary group. And the other interface will inherit its state. So the backup will become master only if the primary router is down. It dont mind if you dont need vrrp in that interfaces, if this is ethernet of course.

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Contributor
alex14
Posts: 12
Registered: ‎04-10-2012
0

Re: vrrp

we were only testing the fortigate.

the fortigate was between the backup router and the internal switch.

the master was not behind the fortigate so the internal switch goes directly to the master router.

normally the backup router sits the same way and the internal switch goes directly to the backup router as well.

Trusted Contributor
acecanal
Posts: 149
Registered: ‎07-05-2011
0

Re: vrrp

[ Edited ]

So, you put the fortigate between the router and the switch, so this in the middle between both routers. This way the fw will filter vrrp.

 

R-backup ---- FW ---- Switch ----- R-Primary

 

Normal scenario

 

  R-Backup ---- Switch ---- R-Primary

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Contributor
alex14
Posts: 12
Registered: ‎04-10-2012
0

Re: vrrp

[ Edited ]

yes, so you think this scenario would cause the issues i got?

 

since we were only testing the firewall, we allowed any to any so all traffic should pass through.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.