Reading Time: 3 minutesFor one of the many projects that Iβve been assigned at work, I got the chance to join the InfoSec Team and help design and configure their second site for their expanding network. Of course, any network engineer always wants to design and provision a network, they can call his/her own! So we were put on a plane and off to Sunny Glasgow, with a plan of attack and 4 days to get this first phase done.
To say it was a busy few days would be the understatement of the year, long days and nights on the data floor stacking, racking, patching and configuring. We had hard deadline to get everything configured and remotely accessible, so making sure the network was sorted was key! But one good thing was that the data floor was in one of our office buildings and it had a window! Inserts shameless instagram plug!
For those who haven’t worked in a dedicated datacentre, you wouldnβt understand how great natural light and view can be after 10 hours of work haha
In the end, phase one was completed on time (just), with everything working as expected. Inserts another shameless instagram plug
Missing from that post above was a Cisco 3750X that was used for vendor redundancy as part of the network. The guys had a HP c7000 Blade Chassis with 2 HP Virtual Connects Chassis Switches which needed to be connected to the edge switches, a Juniper EX4300 and the Cisco. This meant that I would have to span a vlan across two switches and share a default gateway between them. With this being the case, I had use a First-hop Redundancy Protocol (FHRP) and as I was using a multiple vendor topology, the FHRP of choice would have to be VRRP (Virtual Router Redundancy Protocol).
VRRP is best defined in RFC3768:
The Virtual Router Redundancy Protocol (VRRP) is designed to eliminate the single point of failure inherent in the static default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling the IP address(es) associated with a virtual router is called the Master, and forwards packets sent to these IP addresses. The election process provides dynamic fail-over in the forwarding responsibility should the Master become unavailable.
As VRRP is an open standard, it’s interoperable between both Cisco and Juniper devices. If it were just using Cisco devices, I would have had a choice between VRRP or HSRP (Hot Standby Router Protocol). HSRP works similar as VRRP but it’s a Cisco Proprietary Protocol, which means it’s only compatible between Cisco devices. You can see more detail on HSRP in RFC2281
Due to the upstream routing requirements and the EX4300 being higher specced switch, it was decided that the EX4300 was going to be the Master. The topology I was working with is shown below.
With that all explained, Let’s get cracking π
Juniper Configuration
Physical Interface ConfigurationIntegrated Routing & Bridging ConfigurationVlan Configuration
xe-0/2/3 {
description "TRUNK to Edge Cisco";
enable;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members reith;
}
}
}
}
irb {
enable;
unit 100 {
enable;
family inet {
address 10.199.6.1/23 {
vrrp-group 1 {
virtual-address 10.199.7.254;
priority 150;
no-preempt;
accept-data;
}
}
}
}
}
vlans {
reith {
vlan-id 100;
l3-interface irb.100;
}
}
Note
With the irb configuration, under the vrrp-group stanza, I had to add the command accept-data. Adding this command it will enable the master router to accept all packets destined for the Virtual IP (VIP) address. If this isn’t enabled when the EX4300 is set/becomes master, it will not respond to any packets sent to the VIP address!
Cisco Configuration
Physical Interface t1/1/2Routed VLAN Interface
egde-cisco#show run int t1/1/2
Building configuration...
Current configuration : 137 bytes
!
interface TenGigabitEthernet1/1/2
description "TRUNK to Edge Juniper"
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100
switchport mode trunk
end
egde-cisco#show run int vlan100
Building configuration...
Current configuration : 176 bytes
!
interface Vlan100
ip address 10.199.6.2 255.255.254.0
vrrp 1 description "TRUNK to Edge Juniper"
vrrp 1 ip 10.199.7.254
no vrrp 1 preempt
vrrp 1 priority 145
end
Juniper Verification
Depending on the level of detail you want to go into, you can run of any of these commands show vrrp summary, show vrrp detail or show vrrp extensive. I mostly use show vrrp summary or show vrrp detail as ive found (most of time) that you get want you need from either useless you’ve had a big issue and extensive detail is needed!
Show VRRP SummaryShow VRRP Detail
[email protected]> show vrrp summary
Interface State Group VR state VR Mode Type Address
irb.100 up 1 master Active lcl 10.199.6.1
vip 10.199.7.254
[email protected]> show vrrp detail
Physical interface: irb, Unit: 100, Address: 10.199.6.1/23
Index: 547, SNMP ifIndex: 567, VRRP-Traps: disabled, VRRP-Version: 2
Interface state: up, Group: 1, State: master, VRRP Mode: Active
Priority: 150, Advertisement interval: 1, Authentication type: none
Advertisement threshold: 3, Computed send rate: 0
Preempt: no, Accept-data mode: yes, VIP count: 1, VIP: 10.199.7.254
Advertisement Timer: 0.064s, Master router: 10.199.6.1
Virtual router uptime: 19:40:12, Master router uptime: 19:40:04
Virtual Mac: 00:00:5e:00:01:01
Tracking: disabled
Cisco Verification
On a Cisco, you can check VRRP status by running the command show vrrp
egde-cisco#show vrrp
Vlan100 - Group 1
"TRUNK to Edge Juniper"
State is Backup
Virtual IP address is 10.199.7.254
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption disabled
Priority is 145
Master Router is 10.199.6.1, priority is 145
Master Advertisement interval is 1.000 sec
Master Down interval is 3.433 sec
And with that we are done! Confirmed VRRP is working as expected! To be honest, before getting started I was a little worried that ill be running into plenty of issues running cross vendor but it was pretty straightforward, which is always good when you’re under the gun π
