Knowledge Center Search


 

[EX] How to Configure, Verify and Troubleshooting VRRP V3 on EX Switches

  [KB20640] Show KB Properties

  [KB20640] Hide KB Properties

Categories:
Knowledge Base ID: KB20640
Last Updated: 11 May 2011
Version: 2.0

Summary:
This article will help to understand the VRRP V3 configuration, verification and troubleshooting for EX Switches.

Problem or Goal:
How to configure, verify, and troubleshooting VRRP V3 in EX Switch.

Solution:

Setup:


EX8200 (VRRP Master)       EX8200 (VRRP Bk) 
                           |      |
                           |      | 
                           |      | 
                           EX4200-Switch

EX8200-A: Port ge-0/0/0 is connected to EX4200 
EX8200-B: Port ge-0/0/0 is connected to EX4200 
EX4200:     VRRP pass through device 

Configuration:


lab@EX8200-A#edit interfaces ge-0/0/0
unit 0 {
    family inet6 {
        address fe80::5:0:0:6/64;
        address fec0::5:0:0:6/64 {
            vrrp-inet6-group 1 {
                virtual-inet6-address fec0::5:0:0:7;
                virtual-link-local-address fe80::5:0:0:7;
                priority 250;
                preempt;
                accept-data;
            }
        }
    }
}



lab@EX8200-B#edit interfaces ge-0/0/0
unit 0 {
    family inet6 {
        address fe80::5:0:0:8/64;
        address fec0::5:0:0:8/64 {
            vrrp-inet6-group 1 {
                virtual-inet6-address fec0::5:0:0:7;
                virtual-link-local-address fe80::5:0:0:7;
                priority 200;
                preempt;
                accept-data;
            }
        }
    }
}
EX4200 Config:
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members v10
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members v10
set vlans v10 vlan-id 10
Verification
lab@EX8200-B# run show vrrp
Interface State Group VR state Timer Type Address
ge-0/0/0.0 up 1 master A 0.315 lcl fec0::5:0:0:6
vip fe80::5:0:0:7
vip fec0::5:0:0:7

lab@EX8200-A# run show vrrp
Interface State Group VR state Timer Type Address
ge-0/0/0.0 up 1 backup D 3.021 lcl fec0::5:0:0:8
vip fe80::5:0:0:7
vip fec0::5:0:0:7
mas fe80::5:0:0:6



lab@EX8200-A# run monitor traffic interface ge-0/0/0
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-2/0/0, capture size 96 bytes

Reverse lookup for ff02::12 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

07:07:46.769717 Out IP6 truncated-ip6 - 20 bytes missing!fe80::5:0:0:6 > ff02::12: ip-proto-112 40 ==> Master router is sending the VRRP IPV6 packets
07:07:47.582581 Out IP6 truncated-ip6 - 20 bytes missing!fe80::5:0:0:6 > ff02::12: ip-proto-112 40
07:07:48.498432 Out IP6 truncated-ip6 - 20 bytes missing!fe80::5:0:0:6 > ff02::12: ip-proto-112 40
07:07:49.465280 Out IP6 truncated-ip6 - 20 bytes missing!fe80::5:0:0:6 > ff02::12: ip-proto-112 40


lab@EX8200-B# run monitor traffic interface ge-0/0/0
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/0, capture size 96 bytes

Reverse lookup for ff02::12 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

06:03:06.375509 In IP6 fe80::5:0:0:6 > ff02::12: ip-proto-112 40
06:03:07.358357 In IP6 fe80::5:0:0:6 > ff02::12: ip-proto-112 40  ===> Backup router is receiving the VRRP IPV6 packets from Master

Troubleshooting:

  • Double check the topology
  • Confirm the VRRP V3 configuration
  • Check the VRRP hello being sent out by Master and received by Backup (Bk) using the monitor command on both Master and Backup (Bk)
If you feel that Backup (BK) is not receiving the hello or master is not sending a firewall filter can be used to confirm.
  • Apply the Firewall Filter on EX port facing EX8200-A on ingress to see the hello from Master VRRP is being received (Check the FF counter increasing)
lab@EX4200-A# set firewall family ethernet-switching filter vrrp-Master term 1 from destination-mac-addres <VRRP hello MC mac> 
lab@EX4200-A# set firewall family ethernet-switching filter vrrp-Master term 1 then count hello-in
lab@EX4200-A# set interfaces ge-0/0/0 unit 0 family ethernet-switching filter input vrrp-Master 
  • Apply the Firewall Filter on EX port facing EX8200-B on egress to see the hello from Master VRRP is being sent (Check the FF counter increasing)
lab@EX4200-A# set firewall family ethernet-switching filter vrrp-BK term 1 from destination-mac-addres <VRRP hello MC mac> 
lab@EX4200-A# set firewall family ethernet-switching filter vrrp-BK term 1 then count hello-out
lab@EX4200-A# set interfaces ge-0/0/0 unit 0 family ethernet-switching filter output vrrp-BK
NOTE:
There is a known issue related to PR/588712 where on EX4200 switch, VRRPv3 advertisements are not forwarded on a Layer 2 VLAN on which IGMP snooping is enabled.
The workaround is to "disable igmp-snooping" and "configure firewall filter with log action to allow the Multicast MAC address". This issue is noted in link listed below and fixed in
Junos Software Releases 10.4R4, 11.1R2, and later.

Firewall Filter for Multicast MAC address VRRP:

show firewall family ethernet-switching filter
MAC_MULTICAST
term 10 {
    from {
        destination-mac-address {
            FF02:0:0:0:0:0:XXXX:XXXX;
        }
    }
    then {
        accept;
        log;
        count MC;
    }
}
term 20 {
    then accept;
}
 

Purpose:
Configuration
Implementation
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.