[j-nsp] RE : VRRP packets neither counted nor logged
Bit Gossip
bit.gossip at chello.nl
Thu Nov 12 15:02:13 EST 2009
David,
you are so right! But how is that possible? When I capture the packets
they are really protocol vrrp!!
Thanks,
Bit
term VRRP {
from {
source-prefix-list {
VRRP-PL;
}
destination-prefix-list {
MCAST-RSRVD-PL; ## this contains 224.0.0.18
}
}
then {
count VRRP;
accept;
}
}
lab at jr4> show firewall filter LUCA
Filter: LUCA
Counters:
Name Bytes
Packets
VRRP 1598
18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Instead:
lab at jr4# show firewall filter LUCA
term FXP0 {
from {
interface fxp0.0;
}
then accept;
}
term VRRP {
from {
source-prefix-list {
VRRP-PL;
}
destination-prefix-list {
MCAST-RSRVD-PL;
}
protocol vrrp;
}
then {
count VRRP;
accept;
}
}
[edit]
lab at jr4# run clear firewall all
[edit]
lab at jr4# run show firewall filter LUCA
Filter: LUCA
Counters:
Name Bytes
Packets
VRRP 0
0
On Thu, 2009-11-12 at 09:16 +0100, david.roy at orange-ftgroup.com wrote:
> Did you try to replace "from protocol vrrp" by "from destination-address 224.0.1.18" ?
>
> David
>
>
>
>
> David Roy
> Orange France - RBCI IP Technical Assistance Center
> Tel. +33(0)299876472
> Mob. +33(0)685522213
> Email. david.roy at orange-ftgroup.com
>
>
> -----Message d'origine-----
> De : juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] De la part de Bit Gossip
> Envoyé : mercredi 11 novembre 2009 22:11
> À : Juniper List
> Objet : Re: [j-nsp] RE : VRRP packets neither counted nor logged
>
> Well this is getting interesting: I have enabled md5 and this is what I get (jr4=Junos9.5 CoPP=IOS12.4):
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> $ sudo tcpdump -i eth0 dst host 224.0.0.18
>
> 21:57:17.670215 IP jr4 > VRRP.MCAST.NET: AH(spi=0xabababab,seq=0x18b):
> VRRPv2, Advertisement, vrid 126, prio 100, authtype ah, intvl 1s, length 20
>
> 21:57:17.878430 IP copp > VRRP.MCAST.NET: VRRPv2, Advertisement, vrid 126, prio 100, authtype #254, intvl 1s, length 50 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> So Junos uses AH and Cisco doesn't - and of course VRRP is broken :-(
>
> With regards to the fw issue of my original post, the term VRRP does match VRRP packets, at least without authentication, but it just doesn't count them!
> This is proven by the fact that if I change the term action from accept to reject, VRRP is broken.
>
> Thanks,
> Bit.
>
>
>
> On Wed, 2009-11-11 at 20:59 +0100, david.roy at orange-ftgroup.com wrote:
> > Does your vrrp use MD5 authentication. If Yes VRRP uses AH hearder.
> > So ,The IP protocol field is 51. You need to filter to the vrrp
> > multicast destination address : 224.0.1.18 and not to the protocol
> > vrrp
> >
> > Regards,
> > David
> > David Roy
> > Orange France - RBCI IP Technical Assistance Center
> > +33(0)299876472
> > +33(0)685522213
> > david.roy at orange-ftgroup.com
> >
> >
> > ______________________________________________________________________
> > De: juniper-nsp-bounces at puck.nether.net de la part de Bit Gossip
> > Date: mer. 11/11/2009 18:55
> > À: Juniper List
> > Objet : [j-nsp] VRRP packets neither counted nor logged
> >
> >
> > Experts, any idea why?
> >
> > The firewall term VRRP matches packets because if I change the action
> > to reject the vrrp status changes to master because vrrp from the
> > other router are not heard anymore.
> >
> > Nevertheless matched packet are neither counted nor logged :-(
> >
> >
> >
> > lab at jr4> show configuration firewall filter LUCA
> >
> > term VRRP {
> >
> > from {
> >
> > protocol vrrp;
> >
> > }
> >
> > then {
> >
> > count RT-VRRP;
> >
> > log;
> >
> > accept;
> >
> > }
> >
> > }
> >
> > term FXP0-ACCEPT {
> >
> > from {
> >
> > interface fxp0.0;
> >
> > }
> >
> > then {
> >
> > count FXP0-ACCEPT;
> >
> > accept;
> >
> > }
> >
> > }
> >
> >
> >
> > lab at jr4> show firewall log
> >
> >
> >
> > lab at jr4> show firewall filter LUCA
> >
> >
> >
> > Filter: LUCA
> >
> > Counters:
> >
> > Name Bytes
> > Packets
> >
> > RT-VRRP 0
> > 0
> >
> > FXP0-ACCEPT 43570
> > 802
> >
> >
> >
> > lab at jr4> show vrrp detail
> >
> > Physical interface: ge-1/3/0, Unit: 1, Vlan-id: 1, Address:
> > 10.15.4.74/26
> >
> > Index: 71, SNMP ifIndex: 135, VRRP-Traps: disabled
> >
> > Interface state: up, Group: 126, State: backup
> >
> > Priority: 100, Advertisement interval: 1, Authentication type: none
> >
> > Delay threshold: 100, Computed send rate: 0
> >
> > Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 10.15.4.126
> >
> > Dead timer: 2.833s, Master priority: 100, Master router: 10.15.4.75
> >
> > Virtual router uptime: 00:47:44
> >
> > Tracking: disabled
> >
> >
> >
> > lab at jr4> monitor traffic interface ge-1/3/0 no-resolve matching "dst
> > host 224.0.0.18" detail count 1
> >
> > Address resolution is OFF.
> >
> > Listening on ge-1/3/0, capture size 1514 bytes
> >
> >
> >
> > 14:47:32.936935 In IP (tos 0xc0, ttl 255, id 0, offset 0, flags
> > [none],
> > proto: VRRP (112), length: 40) 10.15.4.75 > 224.0.0.18:
> > VRRPv2-advertisement 20: vrid=126 prio=100 authtype=none intvl=1
> > addrs:
> > 10.15.4.126
> >
> >
> >
> > lab at jr4> show configuration interfaces lo0
> >
> > unit 0 {
> >
> > family inet {
> >
> > filter {
> >
> > input LUCA;
> >
> > }
> >
> > address 127.0.0.1/32;
> >
> > address 1.1.1.1/32 {
> >
> > primary;
> >
> > preferred;
> >
> > }
> >
> > }
> >
> > family iso {
> >
> > address 49.6666.0000.0000.0000.0000.0001.00;
> >
> > }
> >
> > }
> >
> >
> >
> > lab at jr4> show configuration interfaces ge-1/3/0
> >
> > vlan-tagging;
> >
> > link-mode full-duplex;
> >
> > gigether-options {
> >
> > no-flow-control;
> >
> > }
> >
> > unit 1 {
> >
> > vlan-id 1;
> >
> > family inet {
> >
> > no-redirects;
> >
> > policer {
> >
> > arp ARP-POLICER;
> >
> > }
> >
> > address 10.15.4.74/26 {
> >
> > vrrp-group 126 {
> >
> > virtual-address 10.15.4.126;
> >
> > advertise-interval 1;
> >
> > accept-data;
> >
> > }
> >
> > }
> >
> > }
> >
> > family iso;
> >
> > family mpls;
> >
> > }
> >
> >
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> >
> >
> > *********************************
> > This message and any attachments (the "message") are confidential and intended solely for the addressees.
> > Any unauthorised use or dissemination is prohibited.
> > Messages are susceptible to alteration.
> > France Telecom Group shall not be liable for the message if altered, changed or falsified.
> > If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
> > ********************************
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> *********************************
> This message and any attachments (the "message") are confidential and intended solely for the addressees.
> Any unauthorised use or dissemination is prohibited.
> Messages are susceptible to alteration.
> France Telecom Group shall not be liable for the message if altered, changed or falsified.
> If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
> ********************************
>
More information about the juniper-nsp
mailing list