2 Master, 1 Backup in VRRP

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered

Hi All,

This is how my VRRP is setup.  Core1(Master) -> Core 2(Backup)-> Ring Switch -> Core 3 (Should be backup)

When I enable vrrp for the vlans in core3, some of the vlans will turn into master. Any idea what should I check.


Sorry for the noob questions.


Thank you

Garrick

Photo of Garrick Goh

Garrick Goh

  • 160 Points 100 badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Stephane Grosjean

Stephane Grosjean

  • 762 Points 500 badge 2x thumb
Hi,
One wild guess, these vlans are not extended and the vrrp hellos cannot be propagated, so core3 thinks he’s vrrp master.
A more basic reason would, obviously, be a priority misconfiguration.
Photo of Garrick Goh

Garrick Goh

  • 160 Points 100 badge 2x thumb

Sorry I am new. Do you mean the vlan is not tagged to the uplink port ?

Have confirm that the priority is set to Core1(200) -> Core 2(150)-> Ring Switch -> Core 3 (default- 100)


(Edited)
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
Does Core 3 keeps on changing the VRRP state or does it remain in master for all the time?
You could mirror the port on Core 2 which is going towards Core 3 and see VRRP hello's are being sent out each seconds.
Photo of Garrick Goh

Garrick Goh

  • 160 Points 100 badge 2x thumb
Sorry noobie here. I am now going reading on how to mirror the port traffic on extreme switch.
Photo of Garrick Goh

Garrick Goh

  • 160 Points 100 badge 2x thumb


I have 3 vlan that are having issue.

super_vlan (Core 1 - 10.8.26.1, Core 2 - 10.8.26.2, Core 3 - 10.8.26.3, Virtual IP- 10.8.26.8)
For this vlan, I cannot ping core 1 and 2 super_vlan IP and the virtual IP from all 3 core's virtual interface. But the Vrrp master and backup is working fine for Core 1 and 2.

printer_vlan (Core 1 - 10.8.32.1, Core 2 - 10.8.32.2, Core 3 - 10.8.32.3, Virtual IP- 10.8.32.8)
For this vlan, I can ping between 3 core's vlan interface. Can I say that if ping can pass through, hello packets should be too


TV_vlan (Core 1 - 10.8.204.1, Core 2 - 10.8.204.2, Core 3 - 10.8.204.3, Virtual IP- 10.8.204.8)
For this vlan, I can ping between 3 core's vlan interface.

Photo of MrGuga

MrGuga

  • 294 Points 250 badge 2x thumb
So, ir vrrp working as intended in printer_vlan and TV_vlan?
Are they all extreme switches? Would you paste the output from the commands below in each switch?
show edp ports all
show super_vlan
show vrrp
Photo of Garrick Goh

Garrick Goh

  • 160 Points 100 badge 2x thumb

No. For printer_vlan and TV_vlan when enabled at core 3, it will cause 2 master at core 1 and core 3.

Yes they are all extreme switch. Will be pasting in my next reply.

(Edited)
Photo of Garrick Goh

Garrick Goh

  • 160 Points 100 badge 2x thumb

How the switches are connected. Core1(Master) -> Core 2(Backup)-> Ring Switch -> Core 3 (Should be backup)

Show vrrp command

Core 1 

super_vlan    0001 200 10.8.26.8         MSTR  00:00:5e:00:01:01    0  0  0 Y 1 
printer_vlan 0001 200 10.8.32.8          MSTR  00:00:5e:00:01:01    0  0  0 Y 1 
cctv_vlan        0005 200 10.8.204.8       MSTR  00:00:5e:00:01:05    0  0  0 Y 1 


Core 2
super_vlan     0001 150 10.8.26.8          BKUP  00:00:5e:00:01:01    0  0  0 Y 1 
printer_vlan 0001 150 10.8.32.8          BKUP  00:00:5e:00:01:01    0  0  0 Y 1 
cctv_vlan       0005 150 10.8.204.8         BKUP  00:00:5e:00:01:05    0  0  0 Y 1 


Core 3 
super_vlan   0001 100 10.8.26.8          INIT  00:00:5e:00:01:01    0  0  0 Y 1 
printer_vlan 0001 100 10.8.32.8          INIT  00:00:5e:00:01:01    0  0  0 Y 1 
cctv_vlan        0005 100 10.8.204.8         INIT  00:00:5e:00:01:05    0  0  0 Y 1 

Show port information detail (There are some vlans that we did not tag over so port info should be better)

Core 2 (Uplink to Core 1)
Name: cctv_vlan, 802.1Q Tag = 204, MAC-limit = No-limit, Virtual router:   VR-Default
Name: super_own, 802.1Q Tag = 26, MAC-limit = No-limit, Virtual router:   VR-Default
Name: printer_vlan, 802.1Q Tag = 32, MAC-limit = No-limit, Virtual router:   VR-Default

Core 1 (Uplink to Core 2)
Name: super_own, 802.1Q Tag = 26, MAC-limit = No-limit, Virtual router:   VR-Default
Name: printer_vlan, 802.1Q Tag = 32, MAC-limit = No-limit, Virtual router:   VR-Default
Name: cctv_vlan, 802.1Q Tag = 204, MAC-limit = No-limit, Virtual router:   VR-Default

Core 1 (Uplink to Ring Switch)
Name: super_own, 802.1Q Tag = 26, MAC-limit = No-limit, Virtual router:   VR-Default
Name: printer_vlan, 802.1Q Tag = 32, MAC-limit = No-limit, Virtual router:   VR-Default
Name: cctv_vlan, 802.1Q Tag = 204, MAC-limit = No-limit, Virtual router:   VR-Default

Ring Switch (Uplink to Core 1)
Name: super_own, 802.1Q Tag = 26, MAC-limit = No-limit, Virtual router:   VR-Default
Name: printer_vlan, 802.1Q Tag = 32, MAC-limit = No-limit, Virtual router:   VR-Default
Name: cctv_vlan, 802.1Q Tag = 204, MAC-limit = No-limit, Virtual router:   VR-Default

Ring Switch (Uplink to Core 3)
Name: super_own, 802.1Q Tag = 26, MAC-limit = No-limit, Virtual router:   VR-Default
Name: printer_vlan, 802.1Q Tag = 32, MAC-limit = No-limit, Virtual router:   VR-Default
Name: cctv_vlan, 802.1Q Tag = 204, MAC-limit = No-limit, Virtual router:   VR-Default

Core 3
Name: super_own, 802.1Q Tag = 26, MAC-limit = No-limit, Virtual router:   VR-Default
Name: printer_vlan, 802.1Q Tag = 32, MAC-limit = No-limit, Virtual router:   VR-Default
Name: cctv_vlan, 802.1Q Tag = 204, MAC-limit = No-limit, Virtual router:   VR-Default

Photo of Garrick Goh

Garrick Goh

  • 160 Points 100 badge 2x thumb

I also have a accesslist for super_vlan

entry super_vlan_To_OtherVlan01{
 if match all {
        source-address 10.8.26.0/23;
        destination-address 10.8.0.0/16;
        } then {
                deny;
        }
        }

Not sure if this will deny the VRRP hello packets. But I create another vlan to test on this acl, the vrrp is working.

Photo of MrGuga

MrGuga

  • 294 Points 250 badge 2x thumb
Some more tests you could try:

if you show fdb super_own in Core 3, does it list the macaddress of Core 1 and 2?
repeat for the other vlans and switches, to check they can see each other in that VLAN
can you confirm with show edp ports all that the switches are indeed connected as intended? Might be a stupid check, but in this case could be anything...

other than that, you could try to mirror the uplink ports to a notebook with wireshark and see if the switches send/receive vrrp multicasts from one to another:
enable mirroring to port X
where X is where your notebook with wireshark is
config mirroring add port Y
where Y is your uplink port
if some switch is blocking these multicasts, there might be some bug or defect. I would try a reboot first, though.

Which model and version of EXOS are they running (show switch), is any of them on a stack?
Photo of MrGuga

MrGuga

  • 294 Points 250 badge 2x thumb
don't forget to remove the mirrored port from the mirroring before adding another, otherwise you could mirror 2 ports into 1 and that way will be harder to detect any problem.
config mirroring delete port Y
Photo of Garrick Goh

Garrick Goh

  • 160 Points 100 badge 2x thumb

Below are my findings on fdb table based on the 3 vlan having issue. Super, CCTV, Printer

Core 3 - Able to see Core 1, Core 2
Ring Switch - Able to see Core 1, Core 2 and Core 3 Mac address
Core 2 - Able to see Core 1, Core 3 Mac address
Core 1 - Able to see Core 2, Core 3 Mac address


Tried sh edp port all. Confirm that all switches are connected.

Core 1. DB-8806 (2 switches inside)
Core 2. DB-8806 (2 switches inside)
Core 3. DB-8806 (2 switches inside)
Ring switch. X460-24p (2 switch stack)
All Switches are running on 15.3.1.4

Have not use wireshark before, let me download and try it.

Mr Guga, appreciate your help so far.

(Edited)
Photo of Garrick Goh

Garrick Goh

  • 160 Points 100 badge 2x thumb

Hi all,

One questions, if I were to go over to Core 3 and change one of the port to Printer vlan and wireshark it. If I can see the printer's vrrp master IP broadcasting, am I save to say the VRRP should be working for printer vlan ?


Thanks in advance.

Photo of Garrick Goh

Garrick Goh

  • 160 Points 100 badge 2x thumb

Hi All,

Below are my findings after performing Wireshark are Core 3. For those affected vlan, they are receiving VRRP hello 1mins/packet. Understand that this could cause the VRRP backup to turn master.

Any one have any idea why this is happening ?


Thank you

Garrick

Photo of Manish S

Manish S

  • 224 Points 100 badge 2x thumb
what is the maximum number of switches that could be used in VRRP????

Can I use 4 switches..probably make it a 2 pair stack and then run VRRP..
Photo of Garrick Goh

Garrick Goh

  • 70 Points
Do you mean max number of master?
Photo of Bill Stritzinger

Bill Stritzinger, Alum

  • 6,036 Points 5k badge 2x thumb
You can only support 2 switches in VRRP, this is one of the reasons you cannot get core 3 to participate.  Please look here for the full explanation and setup information: http://documentation.extremenetworks.com/exos/EXOS_All/VRRP/vrrp.shtml

Bill
Photo of Garrick Goh

Garrick Goh

  • 70 Points
Hi Bill,


Can i ask which part of your link state that it only support 2 switches participate in VRRP?


Thanks in advance


Garrick
(Edited)
Photo of Bill Stritzinger

Bill Stritzinger, Alum

  • 6,036 Points 5k badge 2x thumb
Garrick, 

VRRP is designed and implemented to be used with a master and backup virtual router, or two devices. Here is the IETF description and explnation of VRRP... https://tools.ietf.org/html/rfc5798 - We implement it in XOS for two virtual routers only.

Bill
Photo of Mike D

Mike D, Alum

  • 3,852 Points 3k badge 2x thumb
Hello,

Where routing protocol is concerned, Bill is easily the better informed of the two of us.   I'll gladly take data from the seasoned networker; like mother's milk :)
 
I also see Garrick's point, the spec indicates its at least possible to have multiple backups:  8.3.2 section has the info leading to this conclusion: (Hoping the format doesn't get in the way) 

best,
-mike

8.3.2. Recommendations Regarding Setting Priority Values

A priority value of 255 designates a particular router as the "IPvX address owner".  Care must be taken not to configure more than one router on the link in this way for a single VRID.

   Routers with priority 255 will, as soon as they start up, preempt all
   lower-priority routers.  No more than one router on the link is to be
   configured with priority 255, especially if preemption is set.  If no
   router has this priority, and preemption is disabled, then no
   preemption will occur.

   When there are multiple Backup routers, their priority values should
   be uniformly distributed.  For example, if one Backup router has the
   default priority of 100 and another Backup Router is added, a
   priority of 50 would be a better choice for it than 99 or 100, in
   order to facilitate faster convergence.