Switching

 View Only
last person joined: 5 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
Back to discussions
Expand all | Collapse all

VRRP between 2 QFX. Couln't reach VIP from the same network.

  • 1.  VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 5 days ago

    I have 2 QFX switches (QFX5120-48YM-8C  Junos: 20.4R1.12 flex) and try to configure VRRP.

    My config:

    IF-SW-DC-01

    set vlans DC-D-SERVICES vlan-id 519
    set vlans DC-D-SERVICES l3-interface irb.519
    set interfaces irb unit 519 family inet address 10.51.8.2/24 vrrp-group 8 virtual-address 10.51.8.1
    set interfaces irb unit 519 family inet address 10.51.8.2/24 vrrp-group 8 priority 200
    set interfaces irb unit 519 family inet address 10.51.8.2/24 vrrp-group 8 preempt
    set interfaces irb unit 519 family inet address 10.51.8.2/24 vrrp-group 8 accept-data
    show vrrp
    irb.519       up              8   master   Active      A  0.169 lcl    10.51.8.2
                                                                    vip    10.51.8.1
    --------------------------------------------------------------------------------------
    IF-SW-DC-02
    set vlans DC-D-SERVICES vlan-id 519
    set vlans DC-D-SERVICES l3-interface irb.519
     
     
    set interfaces irb unit 519 family inet address 10.51.8.3/24 vrrp-group 8 virtual-address 10.51.8.1
    set interfaces irb unit 519 family inet address 10.51.8.3/24 vrrp-group 8 priority 190
    set interfaces irb unit 519 family inet address 10.51.8.3/24 vrrp-group 8 preempt
    set interfaces irb unit 519 family inet address 10.51.8.3/24 vrrp-group 8 accept-data
    show vrrp
    irb.519       up              8   backup   Active      D  3.005 lcl    10.51.8.3
                                                                    vip    10.51.8.1
                                                                    mas    10.51.8.2
    -------------------------------------------------------------
    Switches connected by 2 physical links aggregated in LACP.
    My problem - VIP IP 10.51.8.1 isn't reachable from the same network 10.51.8.0/24 - I try to ping it from host within this network and from backup switch:   

    IF-SW-DC-02> ping 10.51.8.1 source 10.51.8.3
    PING 10.51.8.1 (10.51.8.1): 56 data bytes
    .....
    From other netwoks I can reach  10.51.8.1, 10.51.8.2 and 10.51.8.3. If I set up address 10.51.8.2 as the gateway  on test host I can reach it too.
    Help me to resolve the issue, please.
     


    ------------------------------
    DMYTRO OSTAPENKO
    ------------------------------


  • 2.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 4 days ago

    Hi Dmytro, 


    In my experience VRRP was not comes up, because of missing rules in ACL for RE (CoPP: lo0.0 family inet filter input PROTECT-RE), I just added a multicast permit:

    policy-options {
        ...
        prefix-list LOCALS-v4 {
            apply-path "interfaces <*> unit <*> family inet address <*>";
        }
        ...
        prefix-list PL-VRRP {
            224.0.0.18/32;
        }

    firewall {
        family inet {
            filter PROTECT-RE {
                apply-flags omit;
                interface-specific;
                ...
                }
                term VRRP-PERMIT {
                    from {
                        source-prefix-list {
                            LOCALS-v4;
                        }
                        destination-prefix-list {
                            PL-VRRP;
                        }
                        protocol [ vrrp ah ];
                    }
                    then {
                        count vrrp-permit;
                        accept;
                    }
                }
                term DEFAULT {
                    then {
                        count default-deny;
                        log;
                        discard;
                    }
                }
            }



    ------------------------------
    Yev
    ------------------------------

    Original Message


  • 3.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 4 days ago

    I don't use ACL in my switches. And VRRP is up but VIP isn't reachible from VRRP subnetwork.



    ------------------------------
    DMYTRO OSTAPENKO
    ------------------------------

    Original Message


  • 4.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 4 days ago

    Ok, let's check L2 MAC + ARP (something like show mac/debug ip icmp/etc)
    does IF-SW-DC-02 known 10.51.8.1 MAC?
    does IF-SW-DC-01 received ICMP request from 10.51.8.3 (IF-SW-DC-02)?
    does IF-SW-DC-01 known 10.51.8.3 MAC?
    does IF-SW-DC-01 send ICMP reply to 10.51.8.3 (IF-SW-DC-02)?
    does IF-SW-DC-02 received ICMP reply from 10.51.8.1?



    ------------------------------
    Yev
    ------------------------------

    Original Message


  • 5.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 4 days ago
    Edited by Yevgeniy Voloshin 4 days ago

    >  but VIP isn't reachible from VRRP subnetwork.

    is there any way to check the ping from the VRRP subnetwork, from the hosts (10.51.8.4-254/24) and not from a secondary VRRP switch?

    After all, VRRP is primarily for the hosts in 10.51.8.4-254/24 and not for VRRP GWs ;)



    ------------------------------
    Yev
    ------------------------------

    Original Message


  • 6.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 4 days ago

    I try to ping VIP  from host  10.51.8.21 and it isn't reachible. But I can ping it from another networks.



    ------------------------------
    DMYTRO OSTAPENKO
    ------------------------------

    Original Message


  • 7.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 4 days ago
    Edited by Yevgeniy Voloshin 4 days ago

    > I try to ping VIP  from host  10.51.8.21 and it isn't reachible.

    and this .21 host is connected to which switch (closer), SW1 (VRRP Master) or SW2?
    Is it possible to ping the host closer to the other switch?

    and what does debug/traceoptions actually show?
    ICMP requests reach SW1?
    Is SW1 responding to SW2 and .21 host?


    By the way, do ping to .2 and .3 (to real IP) work?
    both from a neighbouring switch and from a .21 host?

    > But I can ping it from another networks.
    This most likely indicates some kind of restriction in L2/IRB for packets spawned in the same L2 



    ------------------------------
    Yev
    ------------------------------

    Original Message


  • 8.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 4 days ago

    does IF-SW-DC-02 known 10.51.8.1 MAC? Yes
    does IF-SW-DC-01 known 10.51.8.3 MAC? Yes

    > and this .21 host is connected to which switch (closer), SW1 (VRRP Master) or SW2?
    Is it possible to ping the host closer to the other switch? 

    .21 host is a virtual machine and hardware server connected to both - SW1 (VRRP Master) and SW2.

    From this host I can ping .2 and .3 address but .1 coudn't.

    If I try to ping IF-SW-DC-01> ping 10.51.8.3 source 10.51.8.1 I see the requests and response on SW2 but don't see  response  on SW1

    If I try to ping IF-SW-DC-02> ping 10.51.8.1 source 10.51.8.3 I see the requests  on SW2 but don't see it on SW1



    ------------------------------
    DMYTRO OSTAPENKO
    ------------------------------

    Original Message


  • 9.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 4 days ago

    Do you have under vlans section,  a L3-interface irb.519 statement for that vlan ?  



    ------------------------------
    TEDD
    ------------------------------

    Original Message


  • 10.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago

    Yes, it's the same on both switches:

    set vlans DC-D-SERVICES vlan-id 519
    set vlans DC-D-SERVICES l3-interface irb.519



    ------------------------------
    DMYTRO OSTAPENKO
    ------------------------------

    Original Message


  • 11.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago
    hmmmmm.   Maybe that's our problem.  Mismatch of vlan names.  
    Just for the test, rename one of the vlans on your qfx to match the other one.   Since you have disparate names the switch sees that as a different vlan even if the vlan-id is same. Vlan 519 using a name must match across the entire network. 

    Sent on iPhone.  Tedd Steele

    Tedd Steele

    SENIOR NETWORK ENGINEER CCDP, CCNP, JNCIA

    843.767.7022

    703.216.1916

    iflyCHS.com

    YOUR TRAVELS, OUR PLEASURE.

    Facebook

    X

    Instagram




    Original Message


  • 12.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago
    Not necessarily true for all platforms I think but I use the same names on a vlan id #. Since you can ping .1 across other different vlans but not the 519 my guess it's the switch has a different name hence the RE confusion 

    Sent on iPhone.  Tedd Steele

    Tedd Steele

    SENIOR NETWORK ENGINEER CCDP, CCNP, JNCIA

    843.767.7022

    703.216.1916

    iflyCHS.com

    YOUR TRAVELS, OUR PLEASURE.

    Facebook

    X

    Instagram




    Original Message


  • 13.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago

    In our case VLAN names are the same on both switches.



    ------------------------------
    DMYTRO OSTAPENKO
    ------------------------------

    Original Message


  • 14.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago
    set vlans DC-D-SERVICES vlan-id 519
    set vlans DC-D-SERVICES l3-interface irb.519


    Sorry I was one eyed.   Is the L3 applied in the above text to both ?  Just making sure.  Your text doesn't have it. 

    Sent on iPhone.  Tedd Steele

    Tedd Steele

    SENIOR NETWORK ENGINEER CCDP, CCNP, JNCIA

    843.767.7022

    703.216.1916

    iflyCHS.com

    YOUR TRAVELS, OUR PLEASURE.

    Facebook

    X

    Instagram




    Original Message


  • 15.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago

    Yes,  this configuration identical on both switches.

    set vlans DC-D-SERVICES vlan-id 519
    set vlans DC-D-SERVICES l3-interface irb.519



    ------------------------------
    DMYTRO OSTAPENKO
    ------------------------------

    Original Message


  • 16.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago

    I think it looks like a bug. I configure the same VRRP settings  on EX4100 pair and it works properly. But in QFX case we have LACP aggregated  link  between switches (with MC-LAG settings but without configured aggregated ports across switches) and in EX is only one link between switches.



    ------------------------------
    DMYTRO OSTAPENKO
    ------------------------------

    Original Message


  • 17.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago
    Mc-lag is prob the issue.  Multi chassis LACP there is an issue.   If you have direct connection to the the two remove mc-lag and use a standard chassis to chassis LACP config. 
    Since you would have 3 participating switches in a mc-lag environment there is particular vrrp config as well.    That's my understanding of how vrrp is done in a multi chassis lag environment. They see each other but not across two separate links vs a direct lag across two switches. There is some setting to propagate MAC address correctly across 3 switches in mc-lag.  

    Sent on iPhone.  Tedd Steele

    Tedd Steele

    SENIOR NETWORK ENGINEER CCDP, CCNP, JNCIA

    843.767.7022

    703.216.1916

    iflyCHS.com

    YOUR TRAVELS, OUR PLEASURE.

    Facebook

    X

    Instagram




    Original Message


  • 18.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago

    I  removed MC-LAG configuration for test but issue with VRRP isn't resolved.



    ------------------------------
    DMYTRO OSTAPENKO
    ------------------------------

    Original Message


  • 19.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago
    Remove one of the lags if they are not bonded via LACP. 

    Sent on iPhone.  Tedd Steele

    Tedd Steele

    SENIOR NETWORK ENGINEER CCDP, CCNP, JNCIA

    843.767.7022

    703.216.1916

    iflyCHS.com

    YOUR TRAVELS, OUR PLEASURE.

    Facebook

    X

    Instagram




    Original Message


  • 20.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago

    Between switches 2 physical links bonded to LACP ae interface. 



    ------------------------------
    DMYTRO OSTAPENKO
    ------------------------------

    Original Message


  • 21.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago
    We are assuming your link is like AE0 or AE1 ?  

    Sent on iPhone.  Tedd Steele

    Tedd Steele

    SENIOR NETWORK ENGINEER CCDP, CCNP, JNCIA

    843.767.7022

    703.216.1916

    iflyCHS.com

    YOUR TRAVELS, OUR PLEASURE.

    Facebook

    X

    Instagram




    Original Message


  • 22.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago

    Yes, links configuration on both switches is:

    set interfaces et-0/0/48 ether-options 802.3ad ae0
    set interfaces et-0/0/49 ether-options 802.3ad ae0
    set interfaces ae0 aggregated-ether-options lacp active
    set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
    set interfaces ae0 unit 0 family ethernet-switching vlan members all



    ------------------------------
    DMYTRO OSTAPENKO
    ------------------------------

    Original Message


  • 23.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago
    Do a show LACP interfaces 

    Sent on iPhone.  Tedd Steele

    Tedd Steele

    SENIOR NETWORK ENGINEER CCDP, CCNP, JNCIA

    843.767.7022

    703.216.1916

    iflyCHS.com

    YOUR TRAVELS, OUR PLEASURE.

    Facebook

    X

    Instagram




    Original Message


  • 24.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago
    root@IF-SW-DC-01> show lacp interfaces
    Aggregated interface: ae0
        LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
          et-0/0/48      Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
          et-0/0/48    Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
          et-0/0/49      Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
          et-0/0/49    Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
        LACP protocol:        Receive State  Transmit State          Mux State
          et-0/0/48                 Current   Fast periodic Collecting distributing
          et-0/0/49                 Current   Fast periodic Collecting distributing
     
     
    root@IF-SW-DC-02> show lacp interfaces
    Aggregated interface: ae0
        LACP state:       Role   Exp   Def  Dist  Col  Syn  Aggr  Timeout  Activity
          et-0/0/49      Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
          et-0/0/49    Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
          et-0/0/48      Actor    No    No   Yes  Yes  Yes   Yes     Fast    Active
          et-0/0/48    Partner    No    No   Yes  Yes  Yes   Yes     Fast    Active
        LACP protocol:        Receive State  Transmit State          Mux State
          et-0/0/49                 Current   Fast periodic Collecting distributing
          et-0/0/48                 Current   Fast periodic Collecting distributing


    ------------------------------
    DMYTRO OSTAPENKO
    ------------------------------

    Original Message


  • 25.  RE: VRRP between 2 QFX. Couln't reach VIP from the same network.

    Posted 3 days ago

    Im at a loss here... however, try this.   This is what I have on my EX vrrp core switches.

     

    By default, the backup VRRP router drops ARP requests for the VRRP-IP to VRRP-MAC address translation. This means that the backup router does not learn the ARP (IP-to-MAC address) mappings for the hosts sending the requests. 

     

    Passive ARP learning enables the ARP cache in the backup router to hold approximately the same contents as the ARP cache in the primary router, thus preventing the problem of learning ARP entries in a burst. To enable passive ARP learning, include the passive-learning statement at the [edit system arp] hierarchy level:

     

    [edit system arp]

    Set passive-learning

     

     

    We recommend setting passive learning on both the backup and primary VRRP routers. Doing so prevents the need to manually intervene when the primary router becomes the backup router. While a router is operating as the primary router, the passive learning configuration has no operational impact. The configuration takes effect only when the router is operating as a backup router.

     

    It would appear your configs are indeed correct.....

     

     

    Tedd Steele

    SENIOR NETWORK ENGINEER CCDP, CCNP, JNCIA

    843.767.7022

    703.216.1916

    iflyCHS.com

    YOUR TRAVELS, OUR PLEASURE.

    Facebook

    X

    Instagram

    From: DMYTRO OSTAPENKO via Juniper Networks <Mail@community.juniper.net>
    Sent: Thursday, March 13, 2025 10:33 AM
    To: Tedd Steele <tsteele@iflychs.com>
    Subject: RE: Switching : VRRP between 2 QFX. Couln't reach VIP from the same network.

     

    root@IF-SW-DC-01> show lacp interfaces Aggregated interface: ae0 LACP state: Role Exp Def Dist Col Syn Aggr Timeout Activity ...




    Original Message