[j-nsp] RE : VRRP packets neither counted nor logged
david.roy at orange-ftgroup.com
david.roy at orange-ftgroup.com
Wed Nov 11 14:59:50 EST 2009
Does your vrrp use MD5 authentication. If Yes VRRP uses AH hearder. So ,The IP protocol field is 51. You need to filter to the vrrp multicast destination address : 224.0.1.18 and not to the protocol vrrp
Regards,
David
David Roy
Orange France - RBCI IP Technical Assistance Center
+33(0)299876472
+33(0)685522213
david.roy at orange-ftgroup.com
________________________________
De: juniper-nsp-bounces at puck.nether.net de la part de Bit Gossip
Date: mer. 11/11/2009 18:55
À: Juniper List
Objet : [j-nsp] VRRP packets neither counted nor logged
Experts, any idea why?
The firewall term VRRP matches packets because if I change the action to
reject the vrrp status changes to master because vrrp from the other
router are not heard anymore.
Nevertheless matched packet are neither counted nor logged :-(
lab at jr4> show configuration firewall filter LUCA
term VRRP {
from {
protocol vrrp;
}
then {
count RT-VRRP;
log;
accept;
}
}
term FXP0-ACCEPT {
from {
interface fxp0.0;
}
then {
count FXP0-ACCEPT;
accept;
}
}
lab at jr4> show firewall log
lab at jr4> show firewall filter LUCA
Filter: LUCA
Counters:
Name Bytes
Packets
RT-VRRP 0
0
FXP0-ACCEPT 43570
802
lab at jr4> show vrrp detail
Physical interface: ge-1/3/0, Unit: 1, Vlan-id: 1, Address:
10.15.4.74/26
Index: 71, SNMP ifIndex: 135, VRRP-Traps: disabled
Interface state: up, Group: 126, State: backup
Priority: 100, Advertisement interval: 1, Authentication type: none
Delay threshold: 100, Computed send rate: 0
Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 10.15.4.126
Dead timer: 2.833s, Master priority: 100, Master router: 10.15.4.75
Virtual router uptime: 00:47:44
Tracking: disabled
lab at jr4> monitor traffic interface ge-1/3/0 no-resolve matching "dst
host 224.0.0.18" detail count 1
Address resolution is OFF.
Listening on ge-1/3/0, capture size 1514 bytes
14:47:32.936935 In IP (tos 0xc0, ttl 255, id 0, offset 0, flags [none],
proto: VRRP (112), length: 40) 10.15.4.75 > 224.0.0.18:
VRRPv2-advertisement 20: vrid=126 prio=100 authtype=none intvl=1 addrs:
10.15.4.126
lab at jr4> show configuration interfaces lo0
unit 0 {
family inet {
filter {
input LUCA;
}
address 127.0.0.1/32;
address 1.1.1.1/32 {
primary;
preferred;
}
}
family iso {
address 49.6666.0000.0000.0000.0000.0001.00;
}
}
lab at jr4> show configuration interfaces ge-1/3/0
vlan-tagging;
link-mode full-duplex;
gigether-options {
no-flow-control;
}
unit 1 {
vlan-id 1;
family inet {
no-redirects;
policer {
arp ARP-POLICER;
}
address 10.15.4.74/26 {
vrrp-group 126 {
virtual-address 10.15.4.126;
advertise-interval 1;
accept-data;
}
}
}
family iso;
family mpls;
}
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
*********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees.
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration.
France Telecom Group shall not be liable for the message if altered, changed or falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
********************************
More information about the juniper-nsp
mailing list