04-02-2019 09:45 AM
Hello Guys
I need an advise on 9200L- advantage
I need to use VRRP version with checkpoint , in the document is really misleading. only support page for VRRP V3.
also in the page, it mentioned.
When VRRPv3 is in use, VRRPv2 is unavailable. For VRRPv3 to be configurable, the fhrp version vrrp v3 command must be used in global configuration mode.
so is that mean I can use VRRP v2? I do not have a live checkpoint in my LAB at the moment...
but in the actual cli configuration, It seems to me I cannot enter vrrp actually, but if I issue sh vrrp detail, I can see VRRPv2 Advertisements. it is REALLY confusing.
SW1(config)#int vlan 10
SW1(config-if)#vrr?
% Unrecognized command
SW1(config-if)#exit
SW1(config)#fhrp version vrrp v3
SW1(config)#int vlan 10
SW1(config-if)#vrr?
vrrp vrrs
SW1(config-if)#do sh ver | i 16.9
Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_LITE_IOSXE), Version 16.9.2, RELEASE SOFTWARE (fc4)
* 1 52 C9200L-48P-4G 16.9.2 CAT9K_LITE_IOSXE BUNDLE
2 52 C9200L-48P-4G 16.9.2 CAT9K_LITE_IOSXE BUNDLE
SW1#sh vrrp detail
Vlan10 - Group 1 - Address-Family IPv4
Description is "DATA_VRRP"
State is MASTER
State duration 1 mins 46.892 secs
Virtual IP address is x.x.x.x
Virtual MAC address is 0000.5E00.0101
Advertisement interval is 1000 msec
Preemption enabled
Priority is 100
Master Router is x.x.x.x (local), priority is 100
Master Advertisement interval is 1000 msec (expires in 557 msec)
Master Down interval is unknown
FLAGS: 1/1
VRRPv3 Advertisements: sent 119 (errors 0) - rcvd 0
VRRPv2 Advertisements: sent 119 (errors 0) - rcvd 0
Group Discarded Packets: 0
VRRPv2 incompatibility: 0
IP Address Owner conflicts: 0
Invalid address count: 0
IP address configuration mismatch : 0
Invalid Advert Interval: 0
Adverts received in Init state: 0
Invalid group other reason: 0
Group State transition:
Init to master: 0
Init to backup: 1 (Last change Tue Apr 02 16:24:31.557)
Backup to master: 1 (Last change Tue Apr 02 16:24:35.168)
Master to backup: 0
Master to init: 0
Backup to init: 0
SW1#
Solved! Go to Solution.
04-03-2019 12:53 AM
In Polaris platforms, VRRP is configured via Unified VRRP (v3), when using address family ipv4, VRRPv2 is used, VRRPv3 is used for address family for ipv6.
This is a sample of a traditional VRRPv2 config on a router:
interface GigabitEthernet0/0/1
ip address 10.10.10.1 255.255.255.0
vrrp 1 ip 10.10.10.254
vrrp 1 priority 90
end
On 9k and 3k Polaris, it has the following syntax:
Of course, the #fhrp version vrrp v3 is needed prior this configuration.
interface Vlan10
ip address 10.10.10.2 255.255.255.0
vrrp 1 address-family ipv4
priority 110
address 10.10.10.254 primary
exit-vrrp
end
How to tell if these are compatible?
VRRP packets from ipv4 address family are the same multicast both MAC and IP:
Vlan10 - Group 1 - Address-Family IPv4
State is MASTER
State duration 3 mins 49.184 secs
Virtual IP address is 10.10.10.254
Virtual MAC address is 0000.5E00.0101
Advertisement interval is 1000 msec
Preemption enabled
Priority is 110
Master Router is 10.10.10.2 (local), priority is 110
Master Advertisement interval is 1000 msec (expires in 450 msec)
Master Down interval is unknown
FLAGS: 1/1
Take a look on a control plane capture from the Cat9200L:
VRRP1#mon cap cap control-plane out match ipv4 any any
VRRP1#mon cap cap start
Started capture point : cap
VRRP1#mon cap cap stop
Bytes dropped in asic - 0
Stopped capture point : cap
VRRP1#show mon cap cap buf bri
----------------------------------------------------------------------------
# size timestamp source destination dscp protocol
----------------------------------------------------------------------------
0 0 0.000000 10.10.10.2 -> 224.0.0.18 0 BE VRRP
In summary, you can use VRRPv2 on the Cat9200L by using the IPV4 address family
04-03-2019 04:18 AM - edited 04-04-2019 12:33 AM
I vote @jalejand as a solution since that showing the way to the solution
although I still no checkpoint secure gateway (aka FireWall) in my test LAB but I have a very old 2800 router.
lets share the love to all if they have no test lab :-)
below are all the cli and console behaviour
9200L | 2800nm
|
9200L-Adv(config)#fhrp version vrrp v3 9200L-Adv(config)#do sh run int vlan 10 Current configuration : 198 bytes 9200L-Adv(config)#do sh vrrp bri | 2800nm(config)#do sh run int f0/0 Current configuration : 272 bytes |
04-02-2019 10:24 AM
Hi @perkin ,
Check this link with some details about the VRRP versions:
https://yurmagccie.wordpress.com/2015/08/07/virtual-router-redundancy-protocol/
Regards
04-03-2019 12:07 AM
04-03-2019 12:34 AM - edited 04-03-2019 05:23 AM
04-03-2019 12:32 AM
Hello,
as I understand it, 'fhrp version vrrp v3' effectively enables version 3 and disables version 2 (you can allow v2 devices that might still be in the network with the command '9200(config-if-vrrp)# vrrpv2', which enables v2 compatibility mode...
04-03-2019 01:48 AM - edited 04-03-2019 04:29 AM
thank you, so in a formula
fhrp version vrrp v3 + VRRP2 = catlayst 9200L (w/ advance license) using VRRP V2?
[Updates] yes it does!
04-03-2019 12:53 AM
In Polaris platforms, VRRP is configured via Unified VRRP (v3), when using address family ipv4, VRRPv2 is used, VRRPv3 is used for address family for ipv6.
This is a sample of a traditional VRRPv2 config on a router:
interface GigabitEthernet0/0/1
ip address 10.10.10.1 255.255.255.0
vrrp 1 ip 10.10.10.254
vrrp 1 priority 90
end
On 9k and 3k Polaris, it has the following syntax:
Of course, the #fhrp version vrrp v3 is needed prior this configuration.
interface Vlan10
ip address 10.10.10.2 255.255.255.0
vrrp 1 address-family ipv4
priority 110
address 10.10.10.254 primary
exit-vrrp
end
How to tell if these are compatible?
VRRP packets from ipv4 address family are the same multicast both MAC and IP:
Vlan10 - Group 1 - Address-Family IPv4
State is MASTER
State duration 3 mins 49.184 secs
Virtual IP address is 10.10.10.254
Virtual MAC address is 0000.5E00.0101
Advertisement interval is 1000 msec
Preemption enabled
Priority is 110
Master Router is 10.10.10.2 (local), priority is 110
Master Advertisement interval is 1000 msec (expires in 450 msec)
Master Down interval is unknown
FLAGS: 1/1
Take a look on a control plane capture from the Cat9200L:
VRRP1#mon cap cap control-plane out match ipv4 any any
VRRP1#mon cap cap start
Started capture point : cap
VRRP1#mon cap cap stop
Bytes dropped in asic - 0
Stopped capture point : cap
VRRP1#show mon cap cap buf bri
----------------------------------------------------------------------------
# size timestamp source destination dscp protocol
----------------------------------------------------------------------------
0 0 0.000000 10.10.10.2 -> 224.0.0.18 0 BE VRRP
In summary, you can use VRRPv2 on the Cat9200L by using the IPV4 address family
04-03-2019 01:56 AM
thanks a lot, so in your screen capture are form the live device?
appreciated!
will your screen capture of VRRP v3 (with AF IP4) just because he is the master?
can I learn from you if this VRRP V3 device (hostname VRRP1) becomes secondary when priority is lower than VRRP V2 side ?
04-03-2019 04:18 AM - edited 04-04-2019 12:33 AM
I vote @jalejand as a solution since that showing the way to the solution
although I still no checkpoint secure gateway (aka FireWall) in my test LAB but I have a very old 2800 router.
lets share the love to all if they have no test lab :-)
below are all the cli and console behaviour
9200L | 2800nm
|
9200L-Adv(config)#fhrp version vrrp v3 9200L-Adv(config)#do sh run int vlan 10 Current configuration : 198 bytes 9200L-Adv(config)#do sh vrrp bri | 2800nm(config)#do sh run int f0/0 Current configuration : 272 bytes |
04-03-2019 10:22 AM
Hi Perkin
That is correct, my outputs were from an actual C9200L running 16.9.2 paired along a ISR router running VRRPv2, I see that you also used an old router to test it. For the VRRP1 (current master) to become secondary, preemption is required, it is by default enabled on vrrpv2:
Vlan10 - Group 1 - Address-Family IPv4
State is MASTER
State duration 3 mins 49.184 secs
Virtual IP address is 10.10.10.254
Virtual MAC address is 0000.5E00.0101
Advertisement interval is 1000 msec
Preemption enabled
04-04-2019 12:30 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide