In this blog, we will look at VRRP (Virtual Redundancy Routing Protocol) and specifically VRRPv6 which as you must have guessed works for IPv6 Protocol.
VRRP is standardized version of redundancy protocol in comparison to Cisco proprietary HSRP both of which provides redundant Default Gateway address for EU clients or devices. The VRRP routers share the IP address corresponding to the default gateway configured on the hosts. At any time, one of the VRRP routers is the master (active) and the others are backups. If the master fails, one of the backup routers becomes the new master router, thus always providing a virtual default router and allowing traffic on the LAN to be routed without relying on a single router.
We will look at 2 scenarios in this blog
1) VRRPv6 configs and what additional things we need to take care
2) VRRP Tracking
This can become lengthy blog so please bear with me till the end 🙂
Below topology will be used for these scenarios where we have 2 Juniper EX4550 switches connected to Juniper MX104 CE (Junos 13.3). Even though 2 MX104 CEs are shown we will using 2 Logical systems inside one MX104 to simulate 2 CEs. Clients are connected behind EX4500 (not shown in picture). MX104 is connected in-turn to ISP CEs over eBGP and receiving IPv6 Default route from ISP. Fairly straightforward setup as you can see.
Below is the configuration for VRRPv6 on both logical-systems where we are configuring higher VRRP priority for CE1 in order for it to be Master and holds virtual mac-address and router replies with this mac-address when arp (or specifically neighbour solicitation message in case of IPv6) request comes from Client who wants to send packet to Virtual gateway address. Virtual MAC address is always in format 00:00:5e:00:02:XX where XX is Virtual Router-ID or group ID configured under VRRP configuration.
re1.MX104_CE1> show configuration logical-systems LS2-CLMB
xe-2/0/3 {
unit 601 {
vlan-id 601;
family inet6 {
address 2001:db9::3/64 {
vrrp-inet6-group 201 {
virtual-inet6-address 2001:db9::1;
virtual-link-local-address fe80:db9::1;
priority 200;
accept-data;
}
}
address fe80:db9::3/64;
}
}
}
}
protocols {
router-advertisement {
interface xe-2/0/3.601 {
max-advertisement-interval 4;
virtual-router-only;
prefix fc80::/64;
}
}
re1.MX104_CE2> show configuration logical-systems LS2-Tower
xe-2/0/1 {
unit 601 {
vlan-id 601;
family inet6 {
address 2001:db9::2/64 {
vrrp-inet6-group 201 {
virtual-inet6-address 2001:db9::1;
virtual-link-local-address fe80:db9::1;
priority 100;
accept-data;
}
}
address fe80:db9::2/64;
}
}
}
}
protocols {
router-advertisement {
interface xe-2/0/1.601 {
max-advertisement-interval 4;
virtual-router-only;
prefix fc80::/64;
}
}
VRRPv6 configuration is very similar to VRRP with some difference related to syntax which is understandable however there are 3 additional commands (highlighted in Red above) we need to know. First of them is virtual-link-local-address which according to Juniper must be explicitly defined in VRRP for IPv6 as this field is used as source IPv6 address when sending packet from this router. 2nd requirement is that link-local address and virtual-link-local-address must share netmask otherwise Junos won’t allow us to commit and this is where I have configured address fe80:db9::2/64.
3rd requirement which is very interesting one is usage of virtual-router-only command under router-advertisements. The master VRRP for an IPv6 router must respond to a router solicitation message with the virtual IP address of the router. However, when the interface statement is included at the [edit protocols router-advertisement] hierarchy level, the backup VRRP for an IPv6 router might send a response before the VRRP master responds, so that the default route of the client is not set to the master VRRP router’s virtual IP address. To avoid this situation, we need to include the virtual-router-only statement at the [edit protocols router-advertisement interface interface-name] hierarchy level. When this statement is included, router advertisements are sent only for VRRP IPv6 groups configured on the interface.
So with these configurations, let’s see how our VRRP is working
re1.MX104_CE1> show vrrp summary logical-system LS2-CLMB
Interface State Group VR state VR Mode Type Address
xe-2/0/3.601 up 201 master Active lcl 2001:db9::3
vip fe80:db9::1
vip 2001:db9::1
re1.MX104_CE2> show vrrp summary logical-system LS2-Tower
Interface State Group VR state VR Mode Type Address
xe-2/0/1.601 up 201 backup Active lcl 2001:db9::2
vip fe80:db9::1
vip 2001:db9::1
So as you can see, VRRP is working fine with CE1 acting as Master and CE2 acting as Backup.
Let’s see extract from extensive version of the command. Main thing to note here is Virtual mac which as I mentioned above is in format 00:00:5e:00:02:XX and XX in our case is c9 which is hex of Group ID 201.
re1.MX104_CE1> show vrrp extensive logical-system LS2-CLMB . . Physical interface: xe-2/0/3, Unit: 601, Vlan-id: 601, Address: 2001:db9::3/64 Index: 358, SNMP ifIndex: 611, VRRP-Traps: enabled, VRRP-Version: 2 Interface state: up, Group: 201, State: master, VRRP Mode: Active Priority: 200, Advertisement interval: 1, Authentication type: none Advertisement threshold: 3, Computed send rate: 0 Preempt: yes, Accept-data mode: yes, VIP count: 2, VIP: fe80:db9::1, 2001:db9::1 Advertisement Timer: 0.698s, Master router: fe80:db9::3 Virtual router uptime: 1d 20:59, Master router uptime: 1d 17:38 Virtual Mac: 00:00:5e:00:02:c9 re1.MX104_CE2> show vrrp extensive logical-system LS2-Tower . . Physical interface: xe-2/0/1, Unit: 601, Vlan-id: 601, Address: 2001:db9::2/64 Index: 354, SNMP ifIndex: 607, VRRP-Traps: enabled, VRRP-Version: 2 Interface state: up, Group: 201, State: backup, VRRP Mode: Active Priority: 100, Advertisement interval: 1, Authentication type: none Advertisement threshold: 3, Computed send rate: 0 Preempt: yes, Accept-data mode: yes, VIP count: 2, VIP: fe80:db9::1, 2001:db9::1 Dead timer: 3.002s, Master priority: 200, Master router: fe80:db9::3 Virtual router uptime: 1d 21:01
Now as VRRP is working, we come to 2nd part of this blog where as per config VRRP will protect us against Default gateway failure on Master Router so that EU clients can always have access to remote Internet destinations. Now till this stage everything is fine however what will happen in case we lose link to ISP CE-1 from Master router?
In case of link failure, VRRP is still active on Master router and EU client are still getting access to default gateway however they are not able to reach the destinations because link to ISP is down. In these situations, VRRP tracking comes to rescue.
MX104 CEs routers are having Ebgp neighorship with ISP CEs and in turn receiving IPv6 default route only to reach all destinations in Internet.
re1.MX104_CE1> show route logical-system LS2-CLMB receive-protocol bgp 2001:db7:0:8:219:e202:5b5c:805d inet6.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * ::/0 2001:db7:0:8:219:e202:5b5c:805d 2856 I re1.MX104_CE2> show route logical-system LS2-Tower receive-protocol bgp 2001:db7:0:4:219:e202:595c:805d inet6.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * ::/0 2001:db7:0:4:219:e202:595c:805d 2856 I
We will add the following command highlighted in Red on CE1 to track this default route under VRRP so that for any chance if link from Master router to ISP fails, it will drop the VRRP priority by 101 so that ultimately VRRP priority of Master router drops to 99 (200-101) and backup router takes over the role of Master.
family inet6 {
address 2001:db9::3/64 {
vrrp-inet6-group 201 {
virtual-inet6-address 2001:db9::1;
virtual-link-local-address fe80:db9::1;
priority 200;
accept-data;
track {
route ::/0 routing-instance default priority-cost 101;
}
}
}
address fe80:db9::3/64;
}
Lets see this in action.
To simulate the failure, we will disable the CE1 outgoing interface towards ISP
[edit] re1.MX104_CE1# set logical-systems LS2-CLMB interfaces ge-0/0/6.601 disable [edit] re1.MX104_CE1# commit re1: configuration check succeeds re0: commit complete re1: commit complete
Now you can see no default-route is being learned from the ebgp neighbour.
re1.MX104_CE1> show route logical-system LS2-CLMB receive-protocol bgp 2001:db7:0:8:219:e202:5b5c:805d inet6.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
However default route is still available from other ebgp neighbour and it is good if Master ship is switched over!!!
re1.MX104_CE2> show route logical-system LS2-Tower receive-protocol bgp 2001:db7:0:4:219:e202:595c:805d inet6.0: 17 destinations, 17 routes (17 active, 0 holddown, 0 hidden) Prefix Nexthop MED Lclpref AS path * ::/0 2001:db7:0:4:219:e202:595c:805d 2856 I
And as we expected, you can see VRRP state has gone into Backup state on CE1 and Master on CE2.
re1.MX104_CE1> show vrrp summary logical-system LS2-CLMB
Interface State Group VR state VR Mode Type Address
xe-2/0/3.601 up 201 backup Active lcl 2001:db9::3
vip fe80:db9::1
vip 2001:db9::1
re1.MX104_CE2> show vrrp summary logical-system LS2-Tower
Interface State Group VR state VR Mode Type Address
xe-2/0/1.601 up 201 master Active lcl 2001:db9::2
vip fe80:db9::1
vip 2001:db9::1
re1.MX104_CE1> show vrrp track logical-system LS2-CLMB
Track route State Cost Interface Group Cfg Run VR State
::/0 down 101 xe-2/0/3.601 201 200 99 backup
Lets see extensive command output as well:
re1.MX104_CE1> show vrrp extensive logical-system LS2-CLMB . . Physical interface: xe-2/0/3, Unit: 601, Vlan-id: 601, Address: 2001:db9::3/64 Index: 358, SNMP ifIndex: 611, VRRP-Traps: enabled, VRRP-Version: 2 Interface state: up, Group: 201, State: backup, VRRP Mode: Active Priority: 99, Advertisement interval: 1, Authentication type: none Advertisement threshold: 3, Computed send rate: 0 Preempt: yes, Accept-data mode: yes, VIP count: 2, VIP: fe80:db9::1, 2001:db9::1 Dead timer: 2.907s, Master priority: 100, Master router: fe80:db9::2 Virtual router uptime: 2d 03:45 Tracking: enabled Current priority: 99, Configured priority: 200 Priority hold time: disabled Interface tracking: disabled Route tracking: enabled, Route count: 1 Route VRF name Route state Priority cost ::/0 default down 101 re1.MX104_CE2> show vrrp extensive logical-system LS2-Tower . . Physical interface: xe-2/0/1, Unit: 601, Vlan-id: 601, Address: 2001:db9::2/64 Index: 354, SNMP ifIndex: 607, VRRP-Traps: enabled, VRRP-Version: 2 Interface state: up, Group: 201, State: master, VRRP Mode: Active Priority: 100, Advertisement interval: 1, Authentication type: none Advertisement threshold: 3, Computed send rate: 0 Preempt: yes, Accept-data mode: yes, VIP count: 2, VIP: fe80:db9::1, 2001:db9::1 Advertisement Timer: 0.931s, Master router: fe80:db9::2 Virtual router uptime: 2d 03:45, Master router uptime: 00:01:19 Virtual Mac: 00:00:5e:00:02:c9
So that’s all in this blog. I hope I was able to clearly define the problem and solution. If you have any comments/feedback on this or any of my previous blogs, do let me know.
Regards
Mohit
networkzblogger.com 
Wow .. You have certainly made it clear 😊
LikeLiked by 1 person
Informative and useful
LikeLiked by 1 person