Mailing List Archive

VRRP for IPv6
I'm trying to add VRRP for IPv6 to a pair of MX150s (that are already
running VRRP for IPv4). I've switched from VRRPv2 to VRRPv3, and the v4
VRRP switched over, but both routers think they are master for the v6
side. Looking at "show vrrp interface" on each router, the
"Advertisement sent" count is increasing, but if I do a "monitor
traffic", I only see the VRRP packets for the v4 IP.

Config I've set (from first router, second just has a different address
and priority):

interfaces {
ae1 {
unit 101 {
vlan-id 101;
family inet6 {
address <block>::2/64 {
vrrp-inet6-group 26 {
virtual-inet6-address <block>::1;
priority 110;
no-preempt;
accept-data;
}
}
}
}
}
}
protocols {
router-advertisement {
interface ae1.101 {
virtual-router-only;
}
}
vrrp {
version-3;
}
}

--
Chris Adams <cma@cmadams.net>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: VRRP for IPv6 [ In reply to ]
Hello Chris,

do you have a loopback filter applied that could drop the packets?

kind regards
Rolf

On 25/01/2022 20:51, Chris Adams via juniper-nsp wrote:
> I'm trying to add VRRP for IPv6 to a pair of MX150s (that are already
> running VRRP for IPv4). I've switched from VRRPv2 to VRRPv3, and the v4
> VRRP switched over, but both routers think they are master for the v6
> side. Looking at "show vrrp interface" on each router, the
> "Advertisement sent" count is increasing, but if I do a "monitor
> traffic", I only see the VRRP packets for the v4 IP.
>
> Config I've set (from first router, second just has a different address
> and priority):
>
> interfaces {
> ae1 {
> unit 101 {
> vlan-id 101;
> family inet6 {
> address <block>::2/64 {
> vrrp-inet6-group 26 {
> virtual-inet6-address <block>::1;
> priority 110;
> no-preempt;
> accept-data;
> }
> }
> }
> }
> }
> }
> protocols {
> router-advertisement {
> interface ae1.101 {
> virtual-router-only;
> }
> }
> vrrp {
> version-3;
> }
> }
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: VRRP for IPv6 [ In reply to ]
Looks like you are missing "virtual-link-local-address".

-Jonas

Am 2022-01-25 20:51, schrieb Chris Adams via juniper-nsp:
> I'm trying to add VRRP for IPv6 to a pair of MX150s (that are already
> running VRRP for IPv4). I've switched from VRRPv2 to VRRPv3, and the
> v4
> VRRP switched over, but both routers think they are master for the v6
> side. Looking at "show vrrp interface" on each router, the
> "Advertisement sent" count is increasing, but if I do a "monitor
> traffic", I only see the VRRP packets for the v4 IP.
>
> Config I've set (from first router, second just has a different address
> and priority):
>
> interfaces {
> ae1 {
> unit 101 {
> vlan-id 101;
> family inet6 {
> address <block>::2/64 {
> vrrp-inet6-group 26 {
> virtual-inet6-address <block>::1;
> priority 110;
> no-preempt;
> accept-data;
> }
> }
> }
> }
> }
> }
> protocols {
> router-advertisement {
> interface ae1.101 {
> virtual-router-only;
> }
> }
> vrrp {
> version-3;
> }
> }
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: VRRP for IPv6 [ In reply to ]
Echoing Rolf’s comment. The lack of a permit statement in a loopback filter is often the most common “bug” people find in routing protocol configurations.

-C

> On Jan 25, 2022, at 12:41 PM, Rolf Hanßen via juniper-nsp <juniper-nsp@puck.nether.net> wrote:
>
> Hello Chris,
>
> do you have a loopback filter applied that could drop the packets?
>
> kind regards
> Rolf
>
> On 25/01/2022 20:51, Chris Adams via juniper-nsp wrote:
>> I'm trying to add VRRP for IPv6 to a pair of MX150s (that are already
>> running VRRP for IPv4). I've switched from VRRPv2 to VRRPv3, and the v4
>> VRRP switched over, but both routers think they are master for the v6
>> side. Looking at "show vrrp interface" on each router, the
>> "Advertisement sent" count is increasing, but if I do a "monitor
>> traffic", I only see the VRRP packets for the v4 IP.
>> Config I've set (from first router, second just has a different address
>> and priority):
>> interfaces {
>> ae1 {
>> unit 101 {
>> vlan-id 101;
>> family inet6 {
>> address <block>::2/64 {
>> vrrp-inet6-group 26 {
>> virtual-inet6-address <block>::1;
>> priority 110;
>> no-preempt;
>> accept-data;
>> }
>> }
>> }
>> }
>> }
>> }
>> protocols {
>> router-advertisement {
>> interface ae1.101 {
>> virtual-router-only;
>> }
>> }
>> vrrp {
>> version-3;
>> }
>> }
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: VRRP for IPv6 [ In reply to ]
I do have a loopback filter on input, but it should be clear (and took
it off just to double-check - no change). Even if it had been that, it
wouldn't have prevented the outbound packets that I'm not seeing.

Once upon a time, Rolf Han?en via juniper-nsp <juniper-nsp@puck.nether.net> said:
> Hello Chris,
>
> do you have a loopback filter applied that could drop the packets?
>
> kind regards
> Rolf
>
> On 25/01/2022 20:51, Chris Adams via juniper-nsp wrote:
> >I'm trying to add VRRP for IPv6 to a pair of MX150s (that are already
> >running VRRP for IPv4). I've switched from VRRPv2 to VRRPv3, and the v4
> >VRRP switched over, but both routers think they are master for the v6
> >side. Looking at "show vrrp interface" on each router, the
> >"Advertisement sent" count is increasing, but if I do a "monitor
> >traffic", I only see the VRRP packets for the v4 IP.
> >
> >Config I've set (from first router, second just has a different address
> >and priority):
> >
> >interfaces {
> > ae1 {
> > unit 101 {
> > vlan-id 101;
> > family inet6 {
> > address <block>::2/64 {
> > vrrp-inet6-group 26 {
> > virtual-inet6-address <block>::1;
> > priority 110;
> > no-preempt;
> > accept-data;
> > }
> > }
> > }
> > }
> > }
> >}
> >protocols {
> > router-advertisement {
> > interface ae1.101 {
> > virtual-router-only;
> > }
> > }
> > vrrp {
> > version-3;
> > }
> >}
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

--
Chris Adams <cma@cmadams.net>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: VRRP for IPv6 [ In reply to ]
I wasn't planning to use a virtual link-local address, so I didn't put
one. The JUNOS VRRP for v6 example doesn't include one, although then
the JUNOS documentation for virtual-link-local-address is oddly
confusing:

https://www.juniper.net/documentation/us/en/software/junos/high-availability/topics/ref/statement/virtual-link-local-address-edit-interfaces.html

Configure a virtual link-local address for a Virtual Router
Redundancy Protocol (VRRP) IPv6 group. You must explicitly define a
virtual link-local address for each VRRP for IPv6 group. The virtual
link-local address must be in the same subnet as the physical
interface address.

NOTE: You do not need to configure link-local addresses and virtual
link-local addresses when configuring VRRP for IPv6. Junos OS
automatically generates link-local addresses and virtual link-local
addresses. However, if link local addresses and virtual link-local
addresses are configured, Junos OS considers the configured
addresses.

So the first paragraph says you must set it, while the second says you
don't have to.

Once upon a time, Jonas Frey <jf@probe-networks.de> said:
> Looks like you are missing "virtual-link-local-address".
>
> -Jonas
>
> Am 2022-01-25 20:51, schrieb Chris Adams via juniper-nsp:
> >I'm trying to add VRRP for IPv6 to a pair of MX150s (that are already
> >running VRRP for IPv4). I've switched from VRRPv2 to VRRPv3, and
> >the v4
> >VRRP switched over, but both routers think they are master for the v6
> >side. Looking at "show vrrp interface" on each router, the
> >"Advertisement sent" count is increasing, but if I do a "monitor
> >traffic", I only see the VRRP packets for the v4 IP.
> >
> >Config I've set (from first router, second just has a different address
> >and priority):
> >
> >interfaces {
> > ae1 {
> > unit 101 {
> > vlan-id 101;
> > family inet6 {
> > address <block>::2/64 {
> > vrrp-inet6-group 26 {
> > virtual-inet6-address <block>::1;
> > priority 110;
> > no-preempt;
> > accept-data;
> > }
> > }
> > }
> > }
> > }
> >}
> >protocols {
> > router-advertisement {
> > interface ae1.101 {
> > virtual-router-only;
> > }
> > }
> > vrrp {
> > version-3;
> > }
> >}
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

--
Chris Adams <cma@cmadams.net>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: VRRP for IPv6 [ In reply to ]
Once upon a time, Chris Adams <cma@cmadams.net> said:
> I'm trying to add VRRP for IPv6 to a pair of MX150s (that are already
> running VRRP for IPv4). I've switched from VRRPv2 to VRRPv3, and the v4
> VRRP switched over, but both routers think they are master for the v6
> side. Looking at "show vrrp interface" on each router, the
> "Advertisement sent" count is increasing, but if I do a "monitor
> traffic", I only see the VRRP packets for the v4 IP.

So, based on an off-list reply, I did find why I didn't see the packets
with "monitor traffic"... "matching vrrp" only matches IPv4 VRRP.
Ooops, didn't realize that - took that off and I see the IPv6 VRRP
packets going out now.

Still don't see any incoming v6 VRRP from the other router. I also
checked on a host on the VLAN and only see the v4 VRRP, not the v6.
--
Chris Adams <cma@cmadams.net>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: VRRP for IPv6 [ In reply to ]
On 2022-01-25 22:53, Chris Adams via juniper-nsp wrote:

> I wasn't planning to use a virtual link-local address, so I didn't put
> one. The JUNOS VRRP for v6 example doesn't include one, although then
> the JUNOS documentation for virtual-link-local-address is oddly
> confusing:

For IPv6, the VRRP protocol requires that the link-local address is
virtual; it *must* be present in the list of virtual addresses a VRRP
node announces.

But Junos does indeed generate one automatically for you; you don't
need to add a virtual-link-local-address stanza. And the link-local
address should show up when you run 'show vrrp':

bellman@Bluegrass2> show vrrp
Interface State Group VR state VR Mode Timer Type Address
irb.214 up 1 master Active A 0.461 lcl 2001:6b0:17:180::3
vip fe80::200:5eff:fe00:201
vip 2001:6b0:17:180::1


(Unfortunately I don't have any immediate ideas of why VRRP for IPv6
doesn't work for you, or why you don't see the outgoing packets using
'monitor traffic'. When I test on a couple of QFX:es and EX4600:s, I
can see both outgoing and incoming VRRP packets.)


/Bellman
Re: VRRP for IPv6 [ In reply to ]
Hi,


On 26.01.22 00:19, Chris Adams via juniper-nsp wrote:
> Still don't see any incoming v6 VRRP from the other router. I also
> checked on a host on the VLAN and only see the v4 VRRP, not the v6.


You may have hit the following PR. PR1449014 ([vMX] Different MAC
address used for IPv6 in VRRP[3].
MX150 is based on vMX plus x86 & BRCDM, so this PR should also be
relevant for MX150.
The actual problem was already solved with PR1351981,
unfortunately only for IPv4 VRRP MAC addresses.

.peter
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp