Routing
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 12
Registered: ‎04-10-2012
0 Kudos

vrrp

i have 2 juniper m7is setup with bgp and vrrp and when i unplug one of the interfaces on the backup router, for some reason, that router becomes the master vrrp and i have no idea why. can someone help me? thanks!

 

router 1

 

interfaces {
    fe-0/2/0 {                          
        unit 0 {
            description "Local LAN 192 vrrp";
            family inet {
                filter {
                    output ioffer-inbound;
                }
                address 192.168.0.1/24 {
                    vrrp-group 100 {
                        virtual-address 192,168.0.100;
                        priority 110;
                        preempt;
                        accept-data;
                        track {
                            interface fe-0/3/0 {
                                priority-cost 50;
                            }
                            interface fe-0/3/1 {
                                priority-cost 50;
                            }
                        }
                    }
                }
            }                           
        }
    }

 

Router 2

 

interfaces {                            
    fe-0/2/0 {
        unit 0 {
            description "Local LAN 192 vrrp Network";
            family inet {
                filter {
                    output ioffer-inbound;
                }
                address 192.168.0.2/24 {
                    vrrp-group 100 {
                        virtual-address 192.168.0.100;
                        priority 100;
                        preempt;
                        accept-data;
                        track {
                            interface fe-0/3/0 {
                                priority-cost 50;
                            }
                            interface ge-1/3/0 {
                                priority-cost 50;
                            }
                        }
                    }
                }                       
            }
        }
    }

Juniper Employee
Posts: 22
Registered: ‎04-28-2008
0 Kudos

Re: vrrp

Hi Alex,

 

  1. Do you see issue when you unplugged *any* interfaces or any specific tracking interfaces ? Is this consistent.
  2. Any other protocol flaps?
  3.  How about the CPU utilization after you unplug?

 

It may be becoming master when it’s not seeing vrrp hello from master , so may be dropping the incoming vrrp hello’s !!!

You can take a tcpdump from both end at that point and check.

 

- Arun Kumar S

Contributor
Posts: 19
Registered: ‎01-20-2011
0 Kudos

Re: vrrp

Hi, Which interface did u unplug ?

is it one of the track interface ?

-= JNCIP-SP JNCIS-M/T JNCIS-ENT JNCIA-ER JNCIA-FWV JNSS-ANI JNSS-R=-
Contributor
Posts: 12
Registered: ‎04-10-2012
0 Kudos

Re: vrrp

yes i am unplugging one of the tracked interfaces

 

no other protocols flap and cpu load does not change.

 

Contributor
Posts: 19
Registered: ‎01-20-2011
0 Kudos

Re: vrrp

Hi,

have you tried to change the priority-cost one of the interface ?

for example :

 

interface fe-0/3/0 in router 1 priority-cost 50

interface fe-0/3/0 in router 2 priority-cost 100

 

then let see what happen.

 

-= JNCIP-SP JNCIS-M/T JNCIS-ENT JNCIA-ER JNCIA-FWV JNSS-ANI JNSS-R=-
Contributor
Posts: 12
Registered: ‎04-10-2012
0 Kudos

Re: vrrp

the fe-0/3/0 interface on both routers are connected to different lines.

 

what i did try was to set the priority-cost to both tracked interfaces on the backup router to 10

                        track {         
                            interface fe-0/3/0 {
                                priority-cost 10;
                            }
                            interface ge-1/3/0 {
                                priority-cost 10;
                            }
                        }

 

and now it doesnt happen but i still dont really know why.

Contributor
Posts: 19
Registered: ‎01-20-2011
0 Kudos

Re: vrrp

and now is it running well ?

weird huh Smiley Tongue

-= JNCIP-SP JNCIS-M/T JNCIS-ENT JNCIA-ER JNCIA-FWV JNSS-ANI JNSS-R=-
Contributor
Posts: 12
Registered: ‎04-10-2012
0 Kudos

Re: vrrp

we are trying to setup a fortinet firewall behind our two m7i routers and for testing when i unplug the backup vrrp interface and plug it into the fortinet firewall to bypass, it becomes active.

 

the original active router stays active but the backup router becomes active as well.

 

i assume its not normal to have both vrrp routers as master? in the juniper logs, i am seeing that the vrrp advertisements are going through but not sure why the backup is becoming active.

 

when i plug it back the way it was, it becomes backup again.

Trusted Contributor
Posts: 150
Registered: ‎07-05-2011
0 Kudos

Re: vrrp

 

  Hi Alex.

 

  You cant plug again the backup interface, if not it will become vrrp master because this link is active, but dont see any other vrrp router in that link.

 

  If you want to be sure will never become master, will have to add other interface between R1 and R2. Create other VRRP group, and join all vrrp groups with the inherit command like in the following example but using several units or interfaces.

 

  What vrrp-inherit-from will do is group all vrrp groups status, so R1 or R2 will be master or backup for all groups and interfaces at the same time. This way, if backup router is reachable through some other interface, will not become master while it see the master router through that interface. So master router will be always master, and backup will be always backup, unless it dont see the master router through any interface.

 

unit 0 {
    family inet {
        address 10.10.10.1/24 {
            vrrp-group 2 {
                virtual-address 10.10.10.10;
            }
        }
        address 20.20.20.1/24 {
            vrrp-group 1 {
                virtual-address 20.20.20.20;
                vrrp-inherit-from {
                    active-interface ge-0/2/0.0;
                    active-group 2;
                }
            }
        }
    }
}

 

 

 

 

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Contributor
Posts: 12
Registered: ‎04-10-2012
0 Kudos

Re: vrrp

im not sure if i completely understand it, is the below sample config right?

 

so would the master and backup have its own vrrp-group first, and then share a vrrp-group to track the active route?

 

so if i wanted to make the backup router the master, would i just change the active-group #?

 

thanks

 

active router
   fe-0/3/2 {
        unit 0 {
            family inet {
                address 192.168.0.1/24 {
                    vrrp-group 2 {
                        virtual-address 192.168.0.100;
                        priority 100;
                        preempt;
                        accept-data;
            address 192.168.2.1/24 {
                vrrp-group 1 {
                    virtual-address 192.168.0.200;
                    vrrp-inherit-from {
                            active-interface ge-0/3/2.0;
                            active-group 2;

backup router
    fe-0/3/2 {
        unit 0 {                        
            family inet {
                address 192.168.0.2/24 {
                    vrrp-group 3 {
                        virtual-address 192.168.0.100;
                        priority 110;
                        preempt;
                        accept-data;
            address 192.168.2.2/24 {
                vrrp-group 1 {
                    virtual-address 192.168.0.200;
                    vrrp-inherit-from {
                            active-interface ge-0/3/2.0;
                            active-group 2;



Trusted Contributor
Posts: 150
Registered: ‎07-05-2011
0 Kudos

Re: vrrp

  The vrrp inherit, is like a "follow the leader". There will be the active or main group under an active interface. If this is master, the follower vrrp group will be master regardless its priority.

 

  But if the active group becomes backup for any reason, a tracked interface, or route, the follower will become backup.

 

  Your configuration is right except you mix fe- and ge- interfaces, and you use different vrrp address and unit ip address for group 1.

   Anyway this is not the right way to do this.

 

   It will be good if you can use two interfaces. The objetive is to be sure master is down before backup router becomes master. If you only use one interface you will lost the vrrp hellos from master on both vrrp groups, and both will become master.

   If you use a single interface, then its better to use several units and vlan tagging. If there is some problems with the fws vlan then your backup router will not become master if the active vrrp vlan is working properly.

 

   On the other hand, for sure you will have at least two interfaces in your routers. If use vrrp on both interfaces, then will syncronize vrrp state for all vrrp groups and interfaces.

  You will have to track the secondary interfaces under your active group. Think you have a "incoming" interface from network, and a "outgoing" interface to fws. You want this router to be master at the "incoming" interface only if "outgoing" interface is up. Active vrrp will be the incoming interface, and the outgoing will inherit the active status. If any of this two interfaces goes down, both will become backup.

 

 

 

 

  

 

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Contributor
Posts: 12
Registered: ‎04-10-2012
0 Kudos

Re: vrrp

the config i showed you has one interface on each router. both routers are using the fe-0/3/2 interface.

 

the router is also serving as the firewall and the interfaces would be connected to our internal network and going to the switch.

 

so if that is the case, are you saying i should still have two interfaces on each router for the vrrp?

so would the interface going to the internet connection outside also need vrrp setup?

Trusted Contributor
Posts: 150
Registered: ‎07-05-2011
0 Kudos

Re: vrrp

Im sorry, i understand that you plug your vrrp interface to the Fw. So your fe-0/2/0 interface connect to the inner network, and fe-0/3/0, fe-0/3/1 to the outter network through fws. Could you post a show vrrp and show interface terse while having the problems ?.

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Contributor
Posts: 12
Registered: ‎04-10-2012
0 Kudos

Re: vrrp

these two m7i routers are also serving as our firewall.

yes fe-0/2/0 is connected to the inside and fe-0/3/0 and fe-0/3/1 are connected to the outside.

 

here is the relevant show interface terse, theres other interfaces that are used also:


Interface               Admin Link Proto    Local                 Remote
fe-0/2/0                up    up  
fe-0/2/0.0              up    up   inet     192.168.0.1/24
                                   multiservice
fe-0/3/0                up    up  
fe-0/3/0.0              up    up   inet     4.x.x.x/30  
                                   multiservice
ge-1/3/0                up    up  
ge-1/3/0.0              up    up   inet     209.x.x.x/30
                                   multiservice

show vrrp:

Interface     State       Group   VR state VR Mode   Timer    Type   Address
fe-0/2/0.0    up            100   backup   Active      D  3.219 lcl   192.168.0.1                                                                                         vip    192.168.0.100  
                                                                                         mas    192.168.0.2 

Trusted Contributor
Posts: 150
Registered: ‎07-05-2011
0 Kudos

Re: vrrp

Hi Alex, need show vrrp from both routers while both are master.

 

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Contributor
Posts: 12
Registered: ‎04-10-2012
0 Kudos

Re: vrrp

[ Edited ]

the master/master issue only happens when i use the fortigate firewall as a bypass.

 

there is also bgp setup between the two routers and one interface is used for crossover.

 

normally, the backup is fine as a backup and the master is below

 

current master show vrrp:

Interface     State       Group   VR state VR Mode   Timer    Type   Address
fe-0/2/0.0    up            100   master   Active      A  0.660 lcl    192.168.0.2 
                                                                vip    192.168.0.200

Highlighted
Trusted Contributor
Posts: 150
Registered: ‎07-05-2011
0 Kudos

Re: vrrp

 It would be good if you could post a diagram of where is the fortigate. If this is between the routers then fw is filtering the vrrp frames. There should be always connectivity throught the vrrp interfaces.

 

 Anyway, you could use the connection between those router as the vrrp primary group. And the other interface will inherit its state. So the backup will become master only if the primary router is down. It dont mind if you dont need vrrp in that interfaces, if this is ethernet of course.

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Contributor
Posts: 12
Registered: ‎04-10-2012
0 Kudos

Re: vrrp

we were only testing the fortigate.

the fortigate was between the backup router and the internal switch.

the master was not behind the fortigate so the internal switch goes directly to the master router.

normally the backup router sits the same way and the internal switch goes directly to the backup router as well.

Trusted Contributor
Posts: 150
Registered: ‎07-05-2011
0 Kudos

Re: vrrp

[ Edited ]

So, you put the fortigate between the router and the switch, so this in the middle between both routers. This way the fw will filter vrrp.

 

R-backup ---- FW ---- Switch ----- R-Primary

 

Normal scenario

 

  R-Backup ---- Switch ---- R-Primary

Br
Alex

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If you want to say thanks, the word is Kudos!!.

Thx.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

JNCIA-JUNOS, JNCIS-ENT, JNCIS-SP, JNCIP-SP.
CCNA, CCNP, Written CCIE.
Contributor
Posts: 12
Registered: ‎04-10-2012
0 Kudos

Re: vrrp

[ Edited ]

yes, so you think this scenario would cause the issues i got?

 

since we were only testing the firewall, we allowed any to any so all traffic should pass through.