VRRP questions.

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
We have a VRRP setup here, and I've got a question or two about VRRP in general. I'll be reading whatever I can find on this stuff too, so don't think I'm just asking without doing my homework. ;)

The non-master member just sits there and monitors traffic right? It doesn't forward anything on unless it gets promoted?
 

ScottMac

Moderator<br>Networking<br>Elite member
Mar 19, 2001
5,471
2
0
That is correct. Another router is the "Standby" and the rest wait in line of succession.

Actually, it doesn't really even watch the traffic; it sends and receives "Hellos" to/from the Master. If the "Hellos" stop, the standby steps up and takes the load.

FWIW

Scott
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: ScottMac
That is correct. Another router is the "Standby" and the rest wait in line of succession.

Actually, it doesn't really even watch the traffic; it sends and receives "Hellos" to/from the Master. If the "Hellos" stop, the standby steps up and takes the load.

FWIW

Scott

well the standy does indeed forward traffic (its still a router) - if it is addressed to it (layer2/3). but traffic shouldn't be addressed to it.

But scott is correct. It doesn't really monitor traffic. The VRRP routers just elect (or you force election) of who is master. Master then responds to arp requests for the virtual mac. So it really works at layer2 as to who has the virtual mac/ip.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: ScottMac
That is correct. Another router is the "Standby" and the rest wait in line of succession.

Actually, it doesn't really even watch the traffic; it sends and receives "Hellos" to/from the Master. If the "Hellos" stop, the standby steps up and takes the load.

FWIW

Scott

Thanks for the reply. You're one of the members I was hoping to hear from. :beer:

If I understand the RFC correctly, it looks like the standby system doesn't send anything, it just receives the hellos.

I'm guessing the VRRP is setup incorrectly here or something, since the standby firewall is PASSING certain traffic, causing all sorts of havoc...
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: spidey07
Originally posted by: ScottMac
That is correct. Another router is the "Standby" and the rest wait in line of succession.

Actually, it doesn't really even watch the traffic; it sends and receives "Hellos" to/from the Master. If the "Hellos" stop, the standby steps up and takes the load.

FWIW

Scott

well the standy does indeed forward traffic (its still a router) - if it is addressed to it (layer2/3). but traffic shouldn't be addressed to it.

But scott is correct. It doesn't really monitor traffic. The VRRP routers just elect (or you force election) of who is master. Master then responds to arp requests for the virtual mac. So it really works at layer2 as to who has the virtual mac/ip.

Thanks for the reply, you're another one of the members I was hoping would grace me with his wisdom. :beer:

There should be almost no traffic going to these firewalls, and everything passing through them should be passing through the virtual IP...
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: n0cmonkey
Originally posted by: spidey07
Originally posted by: ScottMac
That is correct. Another router is the "Standby" and the rest wait in line of succession.

Actually, it doesn't really even watch the traffic; it sends and receives "Hellos" to/from the Master. If the "Hellos" stop, the standby steps up and takes the load.

FWIW

Scott

well the standy does indeed forward traffic (its still a router) - if it is addressed to it (layer2/3). but traffic shouldn't be addressed to it.

But scott is correct. It doesn't really monitor traffic. The VRRP routers just elect (or you force election) of who is master. Master then responds to arp requests for the virtual mac. So it really works at layer2 as to who has the virtual mac/ip.

Thanks for the reply, you're another one of the members I was hoping would grace me with his wisdom. :beer:

There should be almost no traffic going to these firewalls, and everything passing through them should be passing through the virtual IP...
unless you have other hosts or routers sending to the "real" IP address of the standby.

I'm not too familiar to VRRP but it works very similar to cisco HSRP.

 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: spidey07
Originally posted by: n0cmonkey
Originally posted by: spidey07
Originally posted by: ScottMac
That is correct. Another router is the "Standby" and the rest wait in line of succession.

Actually, it doesn't really even watch the traffic; it sends and receives "Hellos" to/from the Master. If the "Hellos" stop, the standby steps up and takes the load.

FWIW

Scott

well the standy does indeed forward traffic (its still a router) - if it is addressed to it (layer2/3). but traffic shouldn't be addressed to it.

But scott is correct. It doesn't really monitor traffic. The VRRP routers just elect (or you force election) of who is master. Master then responds to arp requests for the virtual mac. So it really works at layer2 as to who has the virtual mac/ip.

Thanks for the reply, you're another one of the members I was hoping would grace me with his wisdom. :beer:

There should be almost no traffic going to these firewalls, and everything passing through them should be passing through the virtual IP...
unless you have other hosts or routers sending to the "real" IP address of the standby.

I'm not too familiar to VRRP but it works very similar to cisco HSRP.

I think there was only 1 firewall in this place before, and the "virtual ips" were the real IPs for the old firewall. So everything should be configured to go to those instead of the "real ips" of the two firewalls. :confused:

I'm reading up on configuring this stuff, making sure they didn't miss a step or something.
 

ScottMac

Moderator<br>Networking<br>Elite member
Mar 19, 2001
5,471
2
0
It might be an ARP cache problem. Some / Most / All Nortel stuff has no aging on their ARP cache by default. Perhaps other vendors do it too.

If there's something like that on the LAN side, it may still be sending to old address because that's the MAC that ARP already knows about.

Spidey is (of course) correct, if you send traffic to the "real" IP addresses of the VRRP systems, they will send the traffic along (if they have the routes).

Just power-cycle the whole network ;).

Check the "real" router configs and make sure that proxy ARP is shut down on the real interfaces. You don't want them responding to non-local ARP requests .... that's what the VRRP stuff is supposed to do.

Sounds like this is gonna be a fun one...

I'll scan the books again and see if there's anything significant to check.

Good Luck


Scott


 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
I might have figured it out. I'm not sure yet, because I don't want to test it at the moment (CYA and all ;)). I'll find out tomorrow. Basically it looks like Checkpoint was set to use OPSEC instead of VRRP. :confused:

Hopefully I'll find out tomorrow. Thanks guys! :beer:
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Ok, I solved the issue. Here's the story:
We replaced an aging firewall with a pair of checkpoint firewall appliances using vrrp failover. After the change over, some traffic was being duplicated. snmp-traps would go in both firewalls, and out both firewalls. This was driving some numbers way up, and causing general chaos in certain departments. The failover was working fine, but something was wrong.

I was there for setting up the boxes, but wasn't brought in for setting up checkpoint. The guy that did setup checkpoint (my former boss, a good friend) recently left for another job half way across the country. :p

Well, he did a half assed job of setting it up. Some configurations were wrong, and others were just incomplete. I spent a few hours tracking down the problem, and maybe an hour fixing it. Pushed the policy today and the problem went away.

Thanks for all the help guys! :beer: