Junos OS

Hello Everyone;

I have a problem with VRRP. One of my customer want a deployement like 2 Forti firewall and 2 MX204. MX's are going to handle BGP with ISP's and Firewall will communicate MX via VRRP. 

I have one interface each MX for Firewall connection. And I want to assign more than one vrrp group those interfaces. One last think they told me, "We need vlan tagging for VDOM". How can ı do that?

I tried something like this but did not work;

ge-0/0/1 {    vlan-tagging;    unit 1115 {        description ***        vlan-id 1115;        family inet {            address 10.77.79.2/29 {                vrrp-group 1 {                    virtual-address 10.40.1.200;                    priority 200;
                    accept data;
                    preemt;

Do ı need to add ' encapsulation flexible-ethernet-services;' and 'bridge domains'?

When ı checked my router both off them act like a master.  I saw a document on Juniper https://www.juniper.net/documentation/us/en/software/junos/high-availability/topics/example/multiple-vrrp-owner-groups.html In this document they assign more than one ip address on the unit 0. Is it possible can ı do that with out any vlan tagging? My biggest problem is ı dont know how can ı use a juniper inet port with more than one ip and exct.

Hi,

Virtual address must be same segment with physical ip.

Thanks

Hello Everyone;

I have a problem with VRRP. One of my customer want a deployement like 2 Forti firewall and 2 MX204. MX's are going to handle BGP with ISP's and Firewall will communicate MX via VRRP. 

I have one interface each MX for Firewall connection. And I want to assign more than one vrrp group those interfaces. One last think they told me, "We need vlan tagging for VDOM". How can ı do that?

I tried something like this but did not work;

ge-0/0/1 {    vlan-tagging;    unit 1115 {        description ***        vlan-id 1115;        family inet {            address 10.77.79.2/29 {                vrrp-group 1 {                    virtual-address 10.40.1.200;                    priority 200;
                    accept data;
                    preemt;

Do ı need to add ' encapsulation flexible-ethernet-services;' and 'bridge domains'?

When ı checked my router both off them act like a master.  I saw a document on Juniper https://www.juniper.net/documentation/us/en/software/junos/high-availability/topics/example/multiple-vrrp-owner-groups.html In this document they assign more than one ip address on the unit 0. Is it possible can ı do that with out any vlan tagging? My biggest problem is ı dont know how can ı use a juniper inet port with more than one ip and exct.

Hi, 

Thank you for your reply. I wrote wrong sorry VIP address ı used is '10.77.79.1'. 

With this stil dont work. 

Hi,

Virtual address must be same segment with physical ip.

Thanks

Hello Everyone;

I have a problem with VRRP. One of my customer want a deployement like 2 Forti firewall and 2 MX204. MX's are going to handle BGP with ISP's and Firewall will communicate MX via VRRP. 

I have one interface each MX for Firewall connection. And I want to assign more than one vrrp group those interfaces. One last think they told me, "We need vlan tagging for VDOM". How can ı do that?

I tried something like this but did not work;

ge-0/0/1 {    vlan-tagging;    unit 1115 {        description ***        vlan-id 1115;        family inet {            address 10.77.79.2/29 {                vrrp-group 1 {                    virtual-address 10.40.1.200;                    priority 200;
                    accept data;
                    preemt;

Do ı need to add ' encapsulation flexible-ethernet-services;' and 'bridge domains'?

When ı checked my router both off them act like a master.  I saw a document on Juniper https://www.juniper.net/documentation/us/en/software/junos/high-availability/topics/example/multiple-vrrp-owner-groups.html In this document they assign more than one ip address on the unit 0. Is it possible can ı do that with out any vlan tagging? My biggest problem is ı dont know how can ı use a juniper inet port with more than one ip and exct.

Hi, 

Thank you for your reply. I wrote wrong sorry VIP address ı used is '10.77.79.1'. 

With this stil dont work. 

Hi,

Virtual address must be same segment with physical ip.

Thanks

Hello Everyone;

I have a problem with VRRP. One of my customer want a deployement like 2 Forti firewall and 2 MX204. MX's are going to handle BGP with ISP's and Firewall will communicate MX via VRRP. 

I have one interface each MX for Firewall connection. And I want to assign more than one vrrp group those interfaces. One last think they told me, "We need vlan tagging for VDOM". How can ı do that?

I tried something like this but did not work;

ge-0/0/1 {    vlan-tagging;    unit 1115 {        description ***        vlan-id 1115;        family inet {            address 10.77.79.2/29 {                vrrp-group 1 {                    virtual-address 10.40.1.200;                    priority 200;
                    accept data;
                    preemt;

Do ı need to add ' encapsulation flexible-ethernet-services;' and 'bridge domains'?

When ı checked my router both off them act like a master.  I saw a document on Juniper https://www.juniper.net/documentation/us/en/software/junos/high-availability/topics/example/multiple-vrrp-owner-groups.html In this document they assign more than one ip address on the unit 0. Is it possible can ı do that with out any vlan tagging? My biggest problem is ı dont know how can ı use a juniper inet port with more than one ip and exct.

Hi;

root@MX-BGP-ROUTER-2> show vrrp summary

Interface          State       Group       VR state       VR Mode       Type Address

xe-0/1/7.10    up                    1             master           Active             lcl 10.77.79.3

                                                                                                                               vip 10.77.79.1

root@MX-BGP-ROUTER-1> show vrrp summary 

Interface          State       Group       VR state       VR Mode       Type Address

xe-0/1/7.10    up                    1             master           Active             lcl 10.77.79.2

                                                                                                                               vip 10.77.79.1

Both of them act like master. I am not sure about my interface config is it correct? Those are my exact config about VRRP;

For Router 1;

set interfaces xe-0/1/7 vlan-tagging
set interfaces xe-0/1/7 unit 10 description **VRRP_Peer_Link_FW1**
set interfaces xe-0/1/7 unit 10 vlan-id 10
set interfaces xe-0/1/7 unit 10 family inet address 10.77.79.2/29 vrrp-group 1 virtual-address 10.77.79.1
set interfaces xe-0/1/7 unit 10 family inet address 10.77.79.2/29 vrrp-group 1 priority 150
set interfaces xe-0/1/7 unit 10 family inet address 10.77.79.2/29 vrrp-group 1 preempt

set interfaces xe-0/1/7 unit 10 family inet address 10.77.79.2/29 vrrp-group 1 accept-data

For Router 2;

set interfaces xe-0/1/7 vlan-tagging
set interfaces xe-0/1/7 unit 10 description **VRRP_Peer_Link_FW2**
set interfaces xe-0/1/7 unit 10 vlan-id 10
set interfaces xe-0/1/7 unit 10 family inet address 10.77.79.3/29 vrrp-group 1 virtual-address 10.77.79.1
set interfaces xe-0/1/7 unit 10 family inet address 10.77.79.3/29 vrrp-group 1 priority 100
set interfaces xe-0/1/7 unit 10 family inet address 10.77.79.3/29 vrrp-group 1 accept-data

My customer used 10.77.79.4/29 ip address for their HA firewall and they told me 'you should tag your vlan id 10 for VRRP group' so far ı made this configuration. My VIP address ise their gateway to reach outside.

Hi, 

Thank you for your reply. I wrote wrong sorry VIP address ı used is '10.77.79.1'. 

With this stil dont work. 

Hi,

Virtual address must be same segment with physical ip.

Thanks

Hello Everyone;

I have a problem with VRRP. One of my customer want a deployement like 2 Forti firewall and 2 MX204. MX's are going to handle BGP with ISP's and Firewall will communicate MX via VRRP. 

I have one interface each MX for Firewall connection. And I want to assign more than one vrrp group those interfaces. One last think they told me, "We need vlan tagging for VDOM". How can ı do that?

I tried something like this but did not work;

ge-0/0/1 {    vlan-tagging;    unit 1115 {        description ***        vlan-id 1115;        family inet {            address 10.77.79.2/29 {                vrrp-group 1 {                    virtual-address 10.40.1.200;                    priority 200;
                    accept data;
                    preemt;

Do ı need to add ' encapsulation flexible-ethernet-services;' and 'bridge domains'?

When ı checked my router both off them act like a master.  I saw a document on Juniper https://www.juniper.net/documentation/us/en/software/junos/high-availability/topics/example/multiple-vrrp-owner-groups.html In this document they assign more than one ip address on the unit 0. Is it possible can ı do that with out any vlan tagging? My biggest problem is ı dont know how can ı use a juniper inet port with more than one ip and exct.

Hi Can, 

Can you please configure on both routers: 

set interfaces xe-0/1/7 encapsulation flexible-ethernet-services

As your configuring this on the physical layer, this may be needed to support ethernet encapsulations at the logical layer. 

I would also suggest configuring 'preempt' on both routers as this allows for the backup router to preempt to the primary router when this comes back online.; other than this the configuration looks okay. 

Can both of the routers actually reach each other via a ping? Are you able to reach between routers 1 & 2 and reach the VIP as well?

When doing your troubleshooting, can you run the command: 

show vrrp interface xe-0/1/7.10 

 - This will show more information about the VRRP mastership. 

------------------------------
Ethan Jackson

Original Message:
Sent: 12-04-2023 01:39
From: CAN KARANI SNER
Subject: VRRP

Hi;

root@MX-BGP-ROUTER-2> show vrrp summary

Interface          State       Group       VR state       VR Mode       Type Address

xe-0/1/7.10    up                    1             master           Active             lcl 10.77.79.3

                                                                                                                               vip 10.77.79.1

root@MX-BGP-ROUTER-1> show vrrp summary 

Interface          State       Group       VR state       VR Mode       Type Address

xe-0/1/7.10    up                    1             master           Active             lcl 10.77.79.2

                                                                                                                               vip 10.77.79.1

Both of them act like master. I am not sure about my interface config is it correct? Those are my exact config about VRRP;

For Router 1;

set interfaces xe-0/1/7 vlan-tagging
set interfaces xe-0/1/7 unit 10 description **VRRP_Peer_Link_FW1**
set interfaces xe-0/1/7 unit 10 vlan-id 10
set interfaces xe-0/1/7 unit 10 family inet address 10.77.79.2/29 vrrp-group 1 virtual-address 10.77.79.1
set interfaces xe-0/1/7 unit 10 family inet address 10.77.79.2/29 vrrp-group 1 priority 150
set interfaces xe-0/1/7 unit 10 family inet address 10.77.79.2/29 vrrp-group 1 preempt

set interfaces xe-0/1/7 unit 10 family inet address 10.77.79.2/29 vrrp-group 1 accept-data

For Router 2;

set interfaces xe-0/1/7 vlan-tagging
set interfaces xe-0/1/7 unit 10 description **VRRP_Peer_Link_FW2**
set interfaces xe-0/1/7 unit 10 vlan-id 10
set interfaces xe-0/1/7 unit 10 family inet address 10.77.79.3/29 vrrp-group 1 virtual-address 10.77.79.1
set interfaces xe-0/1/7 unit 10 family inet address 10.77.79.3/29 vrrp-group 1 priority 100
set interfaces xe-0/1/7 unit 10 family inet address 10.77.79.3/29 vrrp-group 1 accept-data

My customer used 10.77.79.4/29 ip address for their HA firewall and they told me 'you should tag your vlan id 10 for VRRP group' so far ı made this configuration. My VIP address ise their gateway to reach outside.

Hi, 

Thank you for your reply. I wrote wrong sorry VIP address ı used is '10.77.79.1'. 

With this stil dont work. 

Hi,

Virtual address must be same segment with physical ip.

Thanks

Hello Everyone;

I have a problem with VRRP. One of my customer want a deployement like 2 Forti firewall and 2 MX204. MX's are going to handle BGP with ISP's and Firewall will communicate MX via VRRP. 

I have one interface each MX for Firewall connection. And I want to assign more than one vrrp group those interfaces. One last think they told me, "We need vlan tagging for VDOM". How can ı do that?

I tried something like this but did not work;

ge-0/0/1 {    vlan-tagging;    unit 1115 {        description ***        vlan-id 1115;        family inet {            address 10.77.79.2/29 {                vrrp-group 1 {                    virtual-address 10.40.1.200;                    priority 200;
                    accept data;
                    preemt;

Do ı need to add ' encapsulation flexible-ethernet-services;' and 'bridge domains'?

When ı checked my router both off them act like a master.  I saw a document on Juniper https://www.juniper.net/documentation/us/en/software/junos/high-availability/topics/example/multiple-vrrp-owner-groups.html In this document they assign more than one ip address on the unit 0. Is it possible can ı do that with out any vlan tagging? My biggest problem is ı dont know how can ı use a juniper inet port with more than one ip and exct.

Hi,

Virtual address must be same segment with physical ip.

Thanks

Hello Everyone;

I have a problem with VRRP. One of my customer want a deployement like 2 Forti firewall and 2 MX204. MX's are going to handle BGP with ISP's and Firewall will communicate MX via VRRP. 

I have one interface each MX for Firewall connection. And I want to assign more than one vrrp group those interfaces. One last think they told me, "We need vlan tagging for VDOM". How can ı do that?

I tried something like this but did not work;

ge-0/0/1 {    vlan-tagging;    unit 1115 {        description ***        vlan-id 1115;        family inet {            address 10.77.79.2/29 {                vrrp-group 1 {                    virtual-address 10.40.1.200;                    priority 200;
                    accept data;
                    preemt;

Do ı need to add ' encapsulation flexible-ethernet-services;' and 'bridge domains'?

When ı checked my router both off them act like a master.  I saw a document on Juniper https://www.juniper.net/documentation/us/en/software/junos/high-availability/topics/example/multiple-vrrp-owner-groups.html In this document they assign more than one ip address on the unit 0. Is it possible can ı do that with out any vlan tagging? My biggest problem is ı dont know how can ı use a juniper inet port with more than one ip and exct.