Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Contrail] How to configure Allowed Address Pair with/without virtual MAC address

1

0

Article ID: KB35962 KB Last Updated: 19 Jul 2021Version: 3.0
Summary:

This article describes how to configure Allowed Address Pair (AAP) in Contrail web UI for two different scenarios.

Symptoms:

When using Active/Standby high availability (HA) for VNFs of the same service chain, HA features other than Contrail are required to achieve the scenario. As a possible solution, the setup must provide a virtual IP (VIP) address and a corresponding MAC address. By configuring the Allowed Address Pair (AAP) feature, the VIP is exposed and available to use.

For a brief introduction of AAP, refer to Service Chain Active-Standby Mode with Allowed Address Pair. For configuration via CLI, refer to KB33573 - Configuring and verifying AAP from CLI.

Solution:

For MAC address, there are two options depending on the HA feature, such as PCS (pacemaker + corosync) or VRRP. PCS is for the server-side clustering package, which does not have a virtual MAC address, whereas VRRP, which is a well-known feature in the router, has a virtual MAC address with VRRP group ID.

The GUI configuration in the following two scenarios is as follows:


Scenario 1

HA clustering without virtual MAC address

In the scenario in the article, the protocol is described with PCS in CentOS 7 as an example of HA software. The following setting has already been configured and VM-a has a VIP address for the primary node.

VM-a: IP=10.1.0.6 MAC=00:66:66:66:66:66
VM-b: IP=10.1.0.6 MAC=00:77:77:77:77:77
VIP:     10.1.0.99

Notes

  • Without a virtual MAC address, the setting does not work in earlier releases such as Contrail 3.x.
  • The GUI screenshots in this article were collected using Contrail R1909. The word, field order, and design might differ in other versions.
[root@vm-a ~]# pcs status
Cluster name:
<snip>
Online: [ vm-a vm-b ]
 
Full list of resources:
 VIP    (ocf::heartbeat:IPaddr2):       Started vm-a
 
Daemon Status:
  corosync: active/enabled
  pacemaker: active/enabled
  pcsd: active/enabled

[root@vm-a ~]# ip a show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:66:66:66:66:66 brd ff:ff:ff:ff:ff:ff
    inet 10.1.0.6/24 brd 10.1.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
    inet 10.1.0.99/24 brd 10.1.0.255 scope global secondary eth0   <<<< VIP is in VM-a's interface.
       valid_lft forever preferred_lft forever
 
[root@vm-b ~]# ip a show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:77:77:77:77:77 brd ff:ff:ff:ff:ff:ff
    inet 10.1.0.7/24 brd 10.1.0.255 scope global noprefixroute eth0
       valid_lft forever preferred_lft forever

Now, ping is not yet reachable from other host.

$ ping 10.1.0.99
PING 10.1.0.99 (10.1.0.99): 56 data bytes
^C
--- 10.1.0.99 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
$

To configure AAP, navigate to Configure > Ports > Gear icon > Edit for the Virtual Machine Interface (VMI) IP address of the target VM.