Is there any way to doing source routing without filter?
https://forums.juniper.net/t5/Routing/BGP-community-target/m-p/440254#M19046
↧
Selective default route is possible with BGP?
↧
Re: Selective default route is possible with BGP?
With the loss of source routing in forwarding routing instances, the only option I see for this is to move the server subnets desired into their own full virtual router routing instance.
This virtual router can the connect to the SRX directly by adding a subinterface and dedicated link on the SRX connection peering bgp to prefer this path.
If the alternate path is wanted as a backup you add a logical tunnel internal itnerface to the main or root vr and peer there with import of routes as a secondardy path.
↧
↧
Re: Can't connect to SRX from Meraki VPN
Is the SRX in packet mode as a router or in the default flow mode as a firewall?
If it is in the default state, (firewall flow mode) in addition to the return route you also need to add security policy zone to zone to permit the desired traffic flows.
↧
Re: Selective default route is possible with BGP?
Hello,
Yes.
It is called "flowspec". Flowspec can be static (https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/flow-edit-routing-options.html) or BGP (https://www.juniper.net/documentation/en_US/junos/topics/example/routing-bgp-flow-specification-routes.html) and it can redirect to nexthop or to a routing-instance.
HTH
Thx
Alex
↧
Re: Selective default route is possible with BGP?
Hi aarseniev,
Do you write a sample config about it?
↧
↧
L3VPN vrf bgp peer local-as, as loop affect whole vrf tables
Hi
Below is the L3VPN PE configuration, the MPLS MPBGP ASN is 18181, there is the local-as 9696 setting in vrf AGC.
We also have a ASN 9696 in remote site vrf routing-options autonomous-system setting .
My question is the local-as setting in vrf AGC that affects this local_PE all vrf tables and all BGP routes with AS path 9696 become AS loop.
The L3VPN vrf local-as setting behavior is different from global setting local-as.
Please help me in detail to understand this difference.
======================================================================
9696 (vrf) remote_PE ----- MPLS 18181 ------ local_PE (vrf) local-as 9696
======================================================================
set routing-options router-id 11.7.0.21
set routing-options autonomous-system 18181
set routing-instances AGC instance-type vrf
set routing-instances AGC interface ae3.344
set routing-instances AGC route-distinguisher 9696:1335
set routing-instances AGC vrf-import AGC-vrf-import
set routing-instances AGC vrf-export AGC-vrf-export
set routing-instances AGC vrf-table-label
set routing-instances AGC routing-options router-id 11.7.0.21
set routing-instances AGC routing-options autonomous-system 18181
set routing-instances AGC routing-options auto-export
set routing-instances AGC protocols bgp group AGC-cache-v4-AS133 type external
set routing-instances AGC protocols bgp group AGC-cache-v4-AS133 peer-as 133
set routing-instances AGC protocols bgp group AGC-cache-v4-AS133 local-as 9696
set routing-instances AGC protocols bgp group AGC-cache-v4-AS133 neighbor 11.7.55.62
set routing-instances G_f3 instance-type vrf
set routing-instances G_f3 interface ae3.1035
set routing-instances G_f3 route-distinguisher 65422:621
set routing-instances G_f3 vrf-import G_f3-import
set routing-instances G_f3 vrf-export G_f3-export
set routing-instances G_f3 vrf-table-label
set routing-instances G_f3 routing-options router-id 11.7.0.21
set routing-instances G_f3 protocols bgp group EG type external
set routing-instances G_f3 protocols bgp group EG preference 169
set routing-instances G_f3 protocols bgp group EG peer-as 65457
set routing-instances G_f3 protocols bgp group EG neighbor 10.79.67.90
set routing-instances G_f01 instance-type vrf
set routing-instances G_f01 interface ae3.1033
set routing-instances G_f01 route-distinguisher 65422:622
set routing-instances G_f01 vrf-import G_f01-import
set routing-instances G_f01 vrf-export G_f01-export
set routing-instances G_f01 vrf-table-label
set routing-instances G_f01 routing-options router-id 11.7.0.21
set routing-instances G_f01 protocols bgp group EG type external
set routing-instances G_f01 protocols bgp group EG preference 169
set routing-instances G_f01 protocols bgp group EG peer-as 65457
set routing-instances G_f01 protocols bgp group EG neighbor 10.79.67.82
======================================================================
> show route summary
Autonomous system number: 18181
Router ID: 11.7.0.21
inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
Direct: 4 routes, 4 active
Local: 4 routes, 4 active
OSPF: 2 routes, 2 active
Static: 1 routes, 1 active
inet.3: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
RSVP: 1 routes, 1 active
AGC.inet.0: 7 destinations, 8 routes (6 active, 0 holddown, 1 hidden)
Direct: 1 routes, 1 active
Local: 1 routes, 1 active
BGP: 6 routes, 4 active
G_f3.inet.0: 6 destinations, 6 routes (5 active, 0 holddown, 1 hidden)
Direct: 1 routes, 1 active
Local: 1 routes, 1 active
BGP: 4 routes, 3 active
G_f01.inet.0: 6 destinations, 6 routes (5 active, 0 holddown, 1 hidden)
Direct: 1 routes, 1 active
Local: 1 routes, 1 active
BGP: 4 routes, 3 active
mpls.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
MPLS: 6 routes, 6 active
VPN: 3 routes, 3 active
bgp.l3vpn.0: 4 destinations, 4 routes (3 active, 0 holddown, 1 hidden)
BGP: 4 routes, 3 active
======================================================================
> show route hidden table AGC.inet.0 extensive
AGC.inet.0: 7 destinations, 8 routes (6 active, 0 holddown, 1 hidden)
8.0.0.0/16 (1 entry, 0 announced)
BGP /-301
Route Distinguisher: 9696:423
Next hop type: Indirect
Address: 0x95715b8
Next-hop reference count: 25
Source: 11.7.0.15
Next hop type: Router, Next hop index: 688
Next hop: 1.1.1.1 via ge-0/0/1.0, selected
Label-switched-path td3-spcmx
Label operation: Push 16
Label TTL action: prop-ttl
Load balance label: Label 16: None;
Session Id: 0x1
Protocol next hop: 11.7.0.15
Label operation: Push 16
Label TTL action: prop-ttl
Load balance label: Label 16: None;
Indirect next hop: 0x975c000 1048574 INH Session ID: 0x4
State: <Secondary Hidden Int Ext ProtectionCand>
Local AS: 18181 Peer AS: 18181
Age: 58:25 Metric2: 1
Validation State: unverified
Task: BGP_18181.11.7.0.15+62996
AS path: 9696 I (Looped: 9696)
Communities: target:9696:416 target:9696:425 target:9696:427
Import
VPN Label: 16
Localpref: 300
Router ID: 11.7.0.15
Hidden reason: AS path loop
Primary Routing Table bgp.l3vpn.0
Indirect next hops: 1
Protocol next hop: 11.7.0.15 Metric: 1
Label operation: Push 16
Label TTL action: prop-ttl
Load balance label: Label 16: None;
Indirect next hop: 0x975c000 1048574 INH Session ID: 0x4
Indirect path forwarding next hops: 1
Next hop type: Router
Next hop: 1.1.1.1 via ge-0/0/1.0
Session Id: 0x1
11.7.0.15/32 Originating RIB: inet.3
Metric: 1 Node path count: 1
Forwarding nexthops: 1
Nexthop: 1.1.1.1 via ge-0/0/1.0
======================================================================
> show route hidden table G_f3.inet.0 extensive
G_f3.inet.0: 6 destinations, 6 routes (5 active, 0 holddown, 1 hidden)
8.0.0.0/16 (1 entry, 0 announced)
BGP /-301
Route Distinguisher: 9696:423
Next hop type: Indirect
Address: 0x95715b8
Next-hop reference count: 25
Source: 11.7.0.15
Next hop type: Router, Next hop index: 688
Next hop: 1.1.1.1 via ge-0/0/1.0, selected
Label-switched-path td3-spcmx
Label operation: Push 16
Label TTL action: prop-ttl
Load balance label: Label 16: None;
Session Id: 0x1
Protocol next hop: 11.7.0.15
Label operation: Push 16
Label TTL action: prop-ttl
Load balance label: Label 16: None;
Indirect next hop: 0x975c000 1048574 INH Session ID: 0x4
State: <Secondary Hidden Int Ext ProtectionCand>
Local AS: 18181 Peer AS: 18181
Age: 1:00:49 Metric2: 1
Validation State: unverified
Task: BGP_18181.11.7.0.15+62996
AS path: 9696 I (Looped: 9696)
Communities: target:9696:416 target:9696:425 target:9696:427
Import
VPN Label: 16
Localpref: 300
Router ID: 11.7.0.15
Hidden reason: AS path loop
Primary Routing Table bgp.l3vpn.0
Indirect next hops: 1
Protocol next hop: 11.7.0.15 Metric: 1
Label operation: Push 16
Label TTL action: prop-ttl
Load balance label: Label 16: None;
Indirect next hop: 0x975c000 1048574 INH Session ID: 0x4
Indirect path forwarding next hops: 1
Next hop type: Router
Next hop: 1.1.1.1 via ge-0/0/1.0
Session Id: 0x1
11.7.0.15/32 Originating RIB: inet.3
Metric: 1 Node path count: 1
Forwarding nexthops: 1
Nexthop: 1.1.1.1 via ge-0/0/1.0
======================================================================
> show route hidden table G_f01.inet.0 extensive
G_f01.inet.0: 6 destinations, 6 routes (5 active, 0 holddown, 1 hidden)
8.0.0.0/16 (1 entry, 0 announced)
BGP /-301
Route Distinguisher: 9696:423
Next hop type: Indirect
Address: 0x95715b8
Next-hop reference count: 25
Source: 11.7.0.15
Next hop type: Router, Next hop index: 688
Next hop: 1.1.1.1 via ge-0/0/1.0, selected
Label-switched-path td3-spcmx
Label operation: Push 16
Label TTL action: prop-ttl
Load balance label: Label 16: None;
Session Id: 0x1
Protocol next hop: 11.7.0.15
Label operation: Push 16
Label TTL action: prop-ttl
Load balance label: Label 16: None;
Indirect next hop: 0x975c000 1048574 INH Session ID: 0x4
State: <Secondary Hidden Int Ext ProtectionCand>
Local AS: 18181 Peer AS: 18181
Age: 1:02:20 Metric2: 1
Validation State: unverified
Task: BGP_18181.11.7.0.15+62996
AS path: 9696 I (Looped: 9696)
Communities: target:9696:416 target:9696:425 target:9696:427
Import
VPN Label: 16
Localpref: 300
Router ID: 11.7.0.15
Hidden reason: AS path loop
Primary Routing Table bgp.l3vpn.0
Indirect next hops: 1
Protocol next hop: 11.7.0.15 Metric: 1
Label operation: Push 16
Label TTL action: prop-ttl
Load balance label: Label 16: None;
Indirect next hop: 0x975c000 1048574 INH Session ID: 0x4
Indirect path forwarding next hops: 1
Next hop type: Router
Next hop: 1.1.1.1 via ge-0/0/1.0
Session Id: 0x1
11.7.0.15/32 Originating RIB: inet.3
Metric: 1 Node path count: 1
Forwarding nexthops: 1
Nexthop: 1.1.1.1 via ge-0/0/1.0
======================================================================
> show route hidden table bgp.l3vpn.0 extensive
bgp.l3vpn.0: 4 destinations, 4 routes (3 active, 0 holddown, 1 hidden)
9696:423:8.0.0.0/16 (1 entry, 0 announced)
BGP /-301
Route Distinguisher: 9696:423
Next hop type: Indirect
Address: 0x95715b8
Next-hop reference count: 25
Source: 11.7.0.15
Next hop type: Router, Next hop index: 688
Next hop: 1.1.1.1 via ge-0/0/1.0, selected
Label-switched-path td3-spcmx
Label operation: Push 16
Label TTL action: prop-ttl
Load balance label: Label 16: None;
Session Id: 0x1
Protocol next hop: 11.7.0.15
Label operation: Push 16
Label TTL action: prop-ttl
Load balance label: Label 16: None;
Indirect next hop: 0x975c000 1048574 INH Session ID: 0x4
State: <Hidden Int Ext ProtectionPath ProtectionCand>
Local AS: 18181 Peer AS: 18181
Age: 1:10:34 Metric2: 1
Validation State: unverified
Task: BGP_18181.11.7.0.15+62996
AS path: 9696 I (Looped: 9696)
Communities: target:9696:416 target:9696:425 target:9696:427
Import
VPN Label: 16
Localpref: 300
Router ID: 11.7.0.15
Hidden reason: AS path loop
Secondary Tables: AGC.inet.0 G_f3.inet.0 G_f01.inet.0
Indirect next hops: 1
Protocol next hop: 11.7.0.15 Metric: 1
Label operation: Push 16
Label TTL action: prop-ttl
Load balance label: Label 16: None;
Indirect next hop: 0x975c000 1048574 INH Session ID: 0x4
Indirect path forwarding next hops: 1
Next hop type: Router
Next hop: 1.1.1.1 via ge-0/0/1.0
Session Id: 0x1
11.7.0.15/32 Originating RIB: inet.3
Metric: 1 Node path count: 1
Forwarding nexthops: 1
Nexthop: 1.1.1.1 via ge-0/0/1.0
↧
Re: LSP PATH Stuck in up state however the hop in path is down
Dear Francis,
thanks for your reply, but actullally Juniper router is the Head-end and Huawei is the tail-end, and we suspect the extra RESV message after the ResvTear message to cause this stuck issue.
Thanks
↧
Send-community-both for a specific neighbor in MX2020
Dears,
I tried searching the board but couldn't find anything specific.
I would like to know how to configure show-community-both or show-extended-community under a specific neighbor on MX2020 series.
↧
Empty output in "test access radius-server..."
Hello all,
I have an issue when I try to test radius server in MX104 ( Junos 17.3 ) . When I exec command test access radius-server 172.28.30.95 user JOHNDOE password JohnPass secret No1Knows , the output is empty . I reach the radius-server IP ok and this same issue happens with any user . Could you help me please? Thanks a lot . BR .
↧
↧
Re: Send-community-both for a specific neighbor in MX2020
Hello,
"send-community*" is a CSCO-specific knob, there is no JUNOS equivalent.
JUNOS allows You to attach ANY community to a BGP route using just the policy, without extra hoops to jump through.
HTH
Thx
Alex
↧
MX Type5 EVPN routes
Trying to get some type5 EVPN routes working in my lab and and running into some issues.
Setup is that I have two vMX devices connected together via L3 links. These act as the "datacenter gateways"
The type5 route is being advertised from MX2 to MX1 however traffic does not flow. The route is received on MX1 into the bgp.evpn table, however, it is not getting into the customer VRF, which I believe is the problem. Here is some details:
root@DC2-VTEP1> show route advertising-protocol bgp 192.168.0.1 detail table bgp.evpn.0 <snip>
* 5:192.168.0.9:440::0::10.4.1.0::24/248 (1 entry, 1 announced)
BGP group DC1-EVPN type Internal
Route Distinguisher: 192.168.0.9:440
Overlay gateway address: 10.4.1.1
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65999] I
Communities: encapsulation:vxlan(0x8)
root@DC2-VTEP1> show route advertising-protocol bgp 192.168.0.1 extensive table VRF_CUST-4.evpn.0
VRF_CUST-4.evpn.0: 30 destinations, 30 routes (30 active, 0 holddown, 0 hidden)
* 5:192.168.0.9:440::0::10.4.1.0::24/248 (1 entry, 1 announced)
BGP group DC1-EVPN type Internal
Route Distinguisher: 192.168.0.9:440
Overlay gateway address: 10.4.1.1
Nexthop: Self
Flags: Nexthop Change
Localpref: 100
AS path: [65999] I
Communities: encapsulation:vxlan(0x8)
The route is received on the other MX:
root@DC1-VTEP1>show route receive-protocol bgp 192.168.0.9 detail table bgp.evpn.0 <snip>
* 5:192.168.0.9:440::0::10.4.1.0::24/248 (1 entry, 1 announced)
Accepted
Route Distinguisher: 192.168.0.9:440
Overlay gateway address: 10.4.1.1
Nexthop: 192.168.0.9
Localpref: 100
AS path: I
Communities: encapsulation:vxlan(0x8)
root@DC1-VTEP1> show route table VRF_CUST-1
VRF_CUST-1.inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
1.2.3.4/32 *[Static/5] 2d 17:41:29
to table inet.0
10.1.1.0/24 *[Direct/0] 2d 17:39:45
> via irb.110
10.1.1.1/32 *[Local/0] 2d 17:39:45
Local via irb.110
10.1.1.2/32 *[Local/0] 2d 17:39:45
Local via irb.110
10.2.1.0/24 *[Direct/0] 18:38:07> via irb.220
10.2.1.1/32 *[Local/0] 18:38:07
Local via irb.220
10.2.1.2/32 *[Local/0] 18:38:07
Local via irb.220
10.3.1.0/24 *[Direct/0] 18:38:07> via irb.330
10.3.1.1/32 *[Local/0] 18:38:07
Local via irb.330
10.3.1.2/32 *[Local/0] 18:38:07
Local via irb.330 So what i would expect to happen is that the "5:192.168.0.9:440::0::10.4.1.0::24/248" type 5 route in the bgp.evpn table someone needs to make it into the VRF_CUST-1 table.
The config on the exporting side is this:
root@DC2-VTEP1> show configuration routing-instances VRF_CUST-4
instance-type vrf;
interface irb.440;
route-distinguisher 192.168.0.9:440;
vrf-import VRF-IMPORT;
vrf-target target:40:440;
routing-options {
auto-export;
}
protocols {
evpn {
ip-prefix-routes {
advertise gateway-address;
gateway-interface irb.440;
export TYPE-5;
}
}
root@DC2-VTEP1> show configuration policy-options policy-statement TYPE-5
term 1 {
from protocol direct;
then {
next-hop self;
accept;
}
}
then reject;
}I believe there is a special BGP extended community that type-5 routes use, however i'm not sure what it is, so on the import side perhaps i'm not allowing it:
root@vtep1> show configuration routing-instances VRF_CUST-1
instance-type vrf;
interface irb.110;
route-distinguisher 192.168.0.1:110;
vrf-import VRF-IMPORT;
vrf-target target:10:110;
routing-options {
auto-export;
}
root@vtep1# show policy-options policy-statement VRF-IMPORT
term IMPORT {
from community [ COMM-VLAN10 COMM-VLAN20 COMM-VLAN30 COMM-VLAN40 ];
then accept;
}
then reject;
↧
Re: Empty output in "test access radius-server..."
Hi,
This is very old knob. Instead, try the following knob:
If its general user:
test aaa authd-lite user test@test.net password test123 profile AAA
For PPP:
test aaa ppp user test@test.net password test123 profile AAA
for DHCP:
test aaa dhcp user test@test.net password test123 profile AAA
For example:
test aaa authd-lite user test@test.net password test123 profile AAA
Authentication Grant
************User Attributes***********
User Name - test@test.net
Framed IPv6 Prefix - <not set>
Framed IPv6 Pool - <not set>
NDRA IPv6 Prefix - <not set>
Login IPv6 Host - <not set>
Framed Interface Id - <not set>
Delegated IPv6 Prefix - <not set>
Delegated IPv6 Pool - <not set>
NDRA IPv6 Pool - <not set>
User Password - test123
Nas Ip Address - <not set>
NAS Port - 0
Service Type - 0
Framed IP Address - <not set>
Framed IP Netmask - <not set>
Filter Id - <not set>
Framed MTU - <not set>
Reply Message - <not set>
Framed Route - <not set>
Class - <not set>
Virtual Router Name - <not set>
Primary DNS IP Address - <not set>
Secondary DNS IP Address - <not set>
Primary WINS IP Address - <not set>
Secondary WINS IP Address - <not set>
Ingress Policy Name - <not set>
Egress Policy Name - <not set>
IGMP Enable - <not set>
Redirect VR Name - <not set>
Service Bundle - <not set>
Framed Ip Route Tag - <not set>
Activate Service - <not set>
Deactivate Service - <not set>
Service Statistics - 0
IGMP Access Group Name - <not set>
IGMP Access Source Group_Name - <not set>
MLD Access Group Name - <not set>
MLD Access Source Group Name - <not set>
MLD Version - <not set>
IGMP Version - <not set>
IGMP Immediate Leave - <not set>
MLD Immediate Leave - <not set>
IPv6 Ingress Policy Name - <not set>
IPv6 Egress Policy Name - <not set>
Service Interim Acct Interval - 0
Max Clients Per Interface - <not set>
Session Timeout - 599999940
Idle Timeout - <not set>
NAS Port Type - 0
Framed Pool - <not set>
Agent Remote Id - <not set>
Acct-start sent
Acct-start failed
Logging out subscriber
Terminate Id - <not set>
Test complete. Exiting
Call the radius server in access profile:
set access profile AAA authentication-order radius
set access profile AAA radius authentication-server X.X.X.X
set access profile AAA radius accounting-server X.X.X.X
set access profile AAA radius-server x.x.x.x port 1812
set access profile AAA radius-server x.x.x.x accounting-port 1812
set access profile AAA radius-server x.x.x.x secret "$9$7rV2aji.5T3jHfzFnu0"
set access profile AAA radius-server x.x.x.x timeout 5
set access profile AAA radius-server x.x.x.x retry 5
set access profile AAA radius-server x.x.x.x source-address x.x.x.x
set access-profile AAA
↧
Re: MX Type5 EVPN routes
bit more info... i'm seeing 10.4.1.0/24 as a hidden route DC1-VTEP1
root@DC1-VTEP1# run show route 10.4.1.0/24 hidden extensive
VRF_CUST-1.inet.0: 20 destinations, 24 routes (19 active, 0 holddown, 1 hidden)
10.4.1.0/24 (1 entry, 0 announced)
EVPN Preference: 170
Next hop type: Unusable, Next hop index: 0
Address: 0xa123c64
Next-hop reference count: 3
State: <Hidden Int Ext>
Age: 17
Validation State: unverified
Task: VRF_CUST-1-EVPN-L3-context
AS path: I
Indirect next hops: 1
Protocol next hop: 10.4.1.1
Indirect next hop: 0x0 - INH Session ID: 0x0i'm assuming it's not working because there is no route to the "Protocol next hop: 10.4.1.1"
↧
↧
Juniper x86 platform which supports Vmware or MS virtual machine .
Hello Team ,
As a partner working on MX modular platforms . Could You verify if Juniper have any OEM x86 platform (server or appliance) that allow them to setup VMware or MS virtual environment? We have to know if Juniper platform supports this kind of server .
We would really appreciate your quick response .
Thanks in advance !
↧
Re: Juniper x86 platform which supports Vmware or MS virtual machine .
Juniper does not provide any hypervisor appliances. You have to find the hardware for a virtualization infrastructure elsewhere.
There is a partnership with Nutanix where vSRX has recently been certified for - but not something you can buy from Juniper.
In general both VMWare and KVM is supported for all virtual platforms but only HyperV on a very few (with limitations as well).
↧
Re: Juniper x86 platform which supports Vmware or MS virtual machine .
Hello Jonas,
Thank you so much for your response .
I understand that , but does juniper have any router or appliance which is x86 CPU system based , where we can install vmware on top of that . something related to service containerization/App hosting virtualization on OS feature .
But we are looking speciafically to Vmware deployment over Juniper box/applicance .
Appreciate your quick response .
Thanks in advance.
↧
Re: Juniper x86 platform which supports Vmware or MS virtual machine .
There is no Juniper products/platforms where you can run VMware on top. The closest match is the NFX platform where you can deploy a few virtual machines. This is integrated into a Junos management infrastructure and KVM based. You cannot create a "KVM cluster" based on NFX.
If you want to explore this path, the NFX250 is the closest match.
↧
↧
Re: Ping or trace across EX routing instances FAILS
Thanks for the reply. It helps...a bit....It appears that I need umpteen plus one explanations...
Unless I am misundertanding the article you referred to, or I did not explain the issue clearly, it is not directly connected subnets that I described.....
The issue is when traffic flow is THROUGH switch B in the middle destined for a subnet on switch A or C. Transit traffic at switch B.
When traffic transits switch B for a destination on switch A and is sourced by switch C or vice-versa, it seems to fail.
I hope that clarifies. If I am still not understanding the article, please feel free to clarify to me.
Thanks again.
↧
VRRP issue on MX104 when adding second VRRP
Dear All,
we have two MX104 in two VRRP groups
MX-B - master in vlan 151, backup in vlan 994
MX-A - backup in vlan 151, master in vlan 994
There is no any problem when only one VRRP in vlan 151
MX-A> show configuration interfaces xe-2/0/0.151 | display inheritance no-comments
description "customer1";
bandwidth 100m;
vlan-id 151;
family inet {
rpf-check;
mtu 1500;
policer {
arp arp-policer;
input bw-100Mbps;
output bw-100Mbps;
}
sampling {
input;
}
address 10.0.0.58/29 {
vrrp-group 0 {
virtual-address 10.0.0.59;
priority 100;
preempt {
hold-time 120;
}
accept-data;
}
}
}
---
MX-B> show configuration interfaces xe-2/0/0.151 | display inheritance no-comments
description "customer1";
bandwidth 100m;
vlan-id 151;
family inet {
rpf-check;
mtu 1500;
policer {
arp arp-policer;
input bw-100Mbps;
output bw-100Mbps;
}
sampling {
input;
}
address 10.0.0.57/29 {
vrrp-group 0 {
virtual-address 10.0.0.59;
priority 150;
preempt {
hold-time 120;
}
accept-data;
}
}
}
---
MX-B> show vrrp
Interface State Group VR state VR Mode Timer Type Address
xe-2/0/0.151 up 0 master Active A 0.000 lcl 10.0.0.57
vip 10.0.0.59
MX-A> show vrrp
Interface State Group VR state VR Mode Timer Type Address
xe-2/0/0.151 up 0 backup Active D 3.254 lcl 10.0.0.58
vip 10.0.0.59
mas 10.0.0.57
---
#ping 10.0.0.59 source 10.0.0.60
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.59, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.60
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 msThe VIP address is reachable for customer's hosts and hosts reachable from outside.
Then we adding second VRRP on separate interface the first VRRP in vlan 151 stop working, VIP address don't respond to ping from customer's hosts and hosts are unreachable from outside networks. But ARP record for hosts are still visible on VRRP master after clearing.
MX-A> show configuration interfaces xe-2/0/0.994 | display inheritance no-comments
description "customer2";
bandwidth 100;
vlan-id 994;
family inet {
rpf-check;
mtu 1500;
policer {
arp arp-policer;
input bw-100Mbps;
output bw-100Mbps;
}
sampling {
input;
}
address 10.0.0.17/29 {
vrrp-group 0 {
virtual-address 10.0.0.22;
priority 150;
preempt {
hold-time 120;
}
accept-data;
}
}
}
---
MX-B> show configuration interfaces xe-2/0/0.994 | display inheritance no-comments
description "customer2";
bandwidth 100;
vlan-id 994;
family inet {
rpf-check;
mtu 1500;
policer {
arp arp-policer;
input bw-100Mbps;
output bw-100Mbps;
}
sampling {
input;
}
address 10.0.0.18/29 {
vrrp-group 0 {
virtual-address 10.0.0.22;
priority 100;
preempt {
hold-time 120;
}
accept-data;
}
}
}
---
MX-B> show vrrp
Interface State Group VR state VR Mode Timer Type Address
xe-2/0/0.151 up 0 master Active A 0.000 lcl 10.0.0.57
vip 10.0.0.59
xe-2/0/0.994 up 0 backup Active D 3.024 lcl 10.0.0.18
vip 10.0.0.22
mas 10.0.0.17
MX-A> show vrrp
Interface State Group VR state VR Mode Timer Type Address
xe-2/0/0.151 up 0 backup Active D 3.254 lcl 10.0.0.58
vip 10.0.0.59
mas 10.0.0.57
xe-2/0/0.994 up 0 master Active A 0.000 lcl 10.0.0.17
vip 10.0.0.22
---
#ping 10.0.0.59 source 10.0.0.60
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.59, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.60
.....
Success rate is 0 percent (0/5)Any ideas why?
↧
Re: VRRP issue on MX104 when adding second VRRP
..why not try a differnet vrrp group number as both are the same 0
the VRRP mac address is the same if the group number is the same
regards
alexander
↧