Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to configure HSRP and VRRP on ScreenOS devices that are running in the Transparent mode?

0

0

Article ID: KB7109 KB Last Updated: 27 Dec 2017Version: 7.0
Summary:
This article provides information on how to configure HSRP and VRRP on ScreenOS devices that are running in the Transparent mode.
Symptoms:
Environment:

HSRP and VRRP send keepalives messages to a multicast IP address.

Symptoms and errors:

The backup device drops all the received traffic from the switch that is flooding HSRP or VRRP traffic.
Solution:

Hot Standby Router Protocol (HSRP) is a Cisco proprietary redundancy protocol that is used to establish a fault tolerant default gateway. It has been described in detail in RFC 2281. The protocol establishes a framework between network routers to achieve default gateway failover, if the primary gateway becomes inaccessible.

Virtual Router Redundancy Protocol (VRRP) is a computer networking protocol that provides automatic assignment of available Internet Protocol (IP) routers to participating hosts. This increases the availability and reliability of routing paths via automatic default gateway selections on an IP subnetwork. VRRP is based on Cisco's proprietary Hot Standby Router Protocol (HSRP) concepts. The protocols, while similar in concept, are not compatible.

For more information, refer to KB10892 - [ScreenOS] Is Virtual Router Redundancy Protocol (VRRP) supported on Juniper firewalls?

Ethernet frames, which originate from HSRP routers, are sourced from the physical MAC address of each router’s interfaces. Ethernet frames from a VRRP router should be sourced by the virtual MAC address; but not all vendors may implement it this way. An ARP request to an HSRP or VRRP virtual IP address will be replied to with the virtual MAC address, so that hosts can send traffic to the active group member. Transparent switches build their forwarding table by listening to the src-mac address in a frame.

Without a FIB or CAM table entry for the virtual MAC address, a switch floods frames, which are directed to the virtual IP address, out to all the interfaces, except the interface on which it was received. For the switch to be able to learn the location of the virtual MAC address, which may never exist in the source of a payload frame, the active HSRP and VRRP router sends Hello messages with the virtual MAC address in the source. Blocking HSRP or VRRP messages in the firewall denies downstream switches to learn the location of the active router. The consequence is that downstream switches will flood traffic, which is directed to these routers, out of all interfaces, instead of sending to the forwarding firewall.

As every device on that VLAN will receive every IP packet (directed to another subnet) from every other device on that VLAN, the network stack on servers may get overloaded. For example, CPU exhaustion maybe caused on an NSRP firewall in the backup mode, as the firewall (in the backup mode) drops all traffic that is not directed to its management interface; instead of setting up a session and switching the traffic. Also, the dropping of packets in the backup mode is resource intensive and can cause high CPU usage on the backup NSRP device; particularly on high-performing ASIC platforms.

HSRP and VRRP fixes this issue by sending keepalives messages to a multicast IP address and source from its cluster MAC address, to notify switches of the return path.

To allow HSRP and VRRP Hello messages to pass the ScreenOs firewall that is running in the transparent mode, you have to configure a rule to permit them through the firewall. When the HSRP router is behind v1-untrust and the protected hosts are in v1-trust , create the HSRP address object in v1-trust and any other zone, if configured:

set address v1-trust hsrp 224.0.0.2/32
set service hsrp protocol udp src-port 1985-1985 dst-port 1985-1985
set policy top from v1-untrust to v1-trust any hsrp hsrp permit

Similarly, you can configure a VRRP rule from the firewall zone, on which the routers are located, to all other zones. Even though VRRP routers will send gratuitous ARPs to signal a switchover, the firewall rule will ensure that FIB/CAM tables, which are learned from the gratuitous ARPs, are refreshed:

set address v1-trust vrrp 224.0.0.18/32
set service vrrp protocol 112 src-port 0-65535 dst-port 0-65535
set policy top from v1-untrust to v1-trust any vrrp vrrp permit

A return policy for Hellos is not required, as the Hellos do not actually need to pass the firewall to reach the peer router; they are already exchanged via the broadcast domain, to which the two routers are connected. The rule is present only to allow the firewall and switches behind the firewall to learn the location of the active router. You can also configure a global policy, which will be processed after all interzone rules are processed, and is valid for all zone combinations:

To permit HSRP in a transparent mode device:

set address global hsrp 224.0.0.2/32
set service hsrp protocol udp src-port 1985-1985 dst-port 1985-1985
set policy top global any hsrp hsrp permit

To permit VRRP traffic:

set address global vrrp 224.0.0.18/32
set service vrrp protocol 112 src-port 0-65535 dst-port 0-65535
set policy top global any vrrp vrrp permit


Note:
 

  • HSRP routers sends its hello messages to the '224.0.0.2' (all routers) multicast address for version 1 or '224.0.0.102' for version 2 by using 'UDP port 1985' to other HSRP-enabled routers, which defines the priority between the routers.

  • VRRP routers, within the virtual router, communicates by using hello packets to the 224.0.0.18 multicast IP address and the '112' IP protocol number.
Modification History:
2017-12-26: Article reviewed for accuracy. Minor grammatical change done. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search