Solved: Re: Catlyst 9200L VRRP v2 possible?

perkin · ‎04-02-2019

Hello Guys

I need an advise on 9200L- advantage

I need to use VRRP version with checkpoint , in the document is really misleading. only support page for VRRP V3.

also in the page, it mentioned.

When VRRPv3 is in use, VRRPv2 is unavailable. For VRRPv3 to be configurable, the fhrp version vrrp v3 command must be used in global configuration mode.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-9/configuration_guide/ip/b_169_ip_9200_cg/vrrpv3_protocol___support.html?bookSearch=true

so is that mean I can use VRRP v2? I do not have a live checkpoint in my LAB at the moment...

but in the actual cli configuration, It seems to me I cannot enter vrrp actually, but if I issue sh vrrp detail, I can see VRRPv2 Advertisements. it is REALLY confusing.

SW1(config)#int vlan 10
SW1(config-if)#vrr?
% Unrecognized command
SW1(config-if)#exit
SW1(config)#fhrp version vrrp v3
SW1(config)#int vlan 10
SW1(config-if)#vrr?
vrrp vrrs

SW1(config-if)#do sh ver | i 16.9
Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT9K_LITE_IOSXE), Version 16.9.2, RELEASE SOFTWARE (fc4)
* 1 52 C9200L-48P-4G 16.9.2 CAT9K_LITE_IOSXE BUNDLE
2 52 C9200L-48P-4G 16.9.2 CAT9K_LITE_IOSXE BUNDLE

SW1#sh vrrp detail
Vlan10 - Group 1 - Address-Family IPv4
Description is "DATA_VRRP"
State is MASTER
State duration 1 mins 46.892 secs
Virtual IP address is x.x.x.x
Virtual MAC address is 0000.5E00.0101
Advertisement interval is 1000 msec
Preemption enabled
Priority is 100
Master Router is x.x.x.x (local), priority is 100
Master Advertisement interval is 1000 msec (expires in 557 msec)
Master Down interval is unknown
FLAGS: 1/1
VRRPv3 Advertisements: sent 119 (errors 0) - rcvd 0
VRRPv2 Advertisements: sent 119 (errors 0) - rcvd 0
Group Discarded Packets: 0
VRRPv2 incompatibility: 0
IP Address Owner conflicts: 0
Invalid address count: 0
IP address configuration mismatch : 0
Invalid Advert Interval: 0
Adverts received in Init state: 0
Invalid group other reason: 0
Group State transition:
Init to master: 0
Init to backup: 1 (Last change Tue Apr 02 16:24:31.557)
Backup to master: 1 (Last change Tue Apr 02 16:24:35.168)
Master to backup: 0
Master to init: 0
Backup to init: 0

SW1#

jalejand · ‎04-03-2019

In Polaris platforms, VRRP is configured via Unified VRRP (v3), when using address family ipv4, VRRPv2 is used, VRRPv3 is used for address family for ipv6.

This is a sample of a traditional VRRPv2 config on a router:

interface GigabitEthernet0/0/1

ip address 10.10.10.1 255.255.255.0
vrrp 1 ip 10.10.10.254
vrrp 1 priority 90
end

On 9k and 3k Polaris, it has the following syntax:

Of course, the #fhrp version vrrp v3 is needed prior this configuration.

interface Vlan10
ip address 10.10.10.2 255.255.255.0
vrrp 1 address-family ipv4
priority 110
address 10.10.10.254 primary
exit-vrrp
end

How to tell if these are compatible?

VRRP packets from ipv4 address family are the same multicast both MAC and IP:

Vlan10 - Group 1 - Address-Family IPv4
State is MASTER
State duration 3 mins 49.184 secs
Virtual IP address is 10.10.10.254
Virtual MAC address is 0000.5E00.0101
Advertisement interval is 1000 msec
Preemption enabled
Priority is 110
Master Router is 10.10.10.2 (local), priority is 110
Master Advertisement interval is 1000 msec (expires in 450 msec)
Master Down interval is unknown
FLAGS: 1/1

Take a look on a control plane capture from the Cat9200L:

VRRP1#mon cap cap control-plane out match ipv4 any any
VRRP1#mon cap cap start
Started capture point : cap
VRRP1#mon cap cap stop
Bytes dropped in asic - 0

Stopped capture point : cap
VRRP1#show mon cap cap buf bri
----------------------------------------------------------------------------
# size timestamp source destination dscp protocol
----------------------------------------------------------------------------
0 0 0.000000 10.10.10.2 -> 224.0.0.18 0 BE VRRP

In summary, you can use VRRPv2 on the Cat9200L by using the IPV4 address family

View solution in original post

perkin · ‎04-03-2019

I vote @jalejand as a solution since that showing the way to the solution

although I still no checkpoint secure gateway (aka FireWall) in my test LAB but I have a very old 2800 router.

lets share the love to all if they have no test lab :-)

below are all the cli and console behaviour

9200L

2800nm

9200L-Adv(config)#fhrp version vrrp v3

9200L-Adv(config)#do sh run int vlan 10
Building configuration...

Current configuration : 198 bytes
!
interface Vlan10
ip address 10.x.x.3 255.255.255.0
vrrp 1 address-family ipv4
description VRRP_V3
priority 90
vrrpv2
address 10.x.x.1 primary
exit-vrrp
end

9200L-Adv(config)#do sh vrrp bri
Interface Grp A-F Pri Time Own Pre State Master addr/Group addr
Vl10 1 IPv4 90 0 N Y MASTER 10.x.x.3(local) 10.x.x.1
9200L-Adv(config)#
.Apr 3 11:05:59.016 UTC: %VRRP-6-STATE: Vlan10 IPv4 group 1 state MASTER -> BACKUP
9200L-Adv(config)#do sh vrrp bri
Interface Grp A-F Pri Time Own Pre State Master addr/Group addr
Vl10 1 IPv4 90 3648 N Y BACKUP 10.x.x.2 10.x.x.1

2800nm(config)#do sh run int f0/0
Building configuration...

Current configuration : 272 bytes
!
interface FastEthernet0/0
ip address 10.x.x.2 255.255.255.0
vrrp 1 description VRRP_v2
vrrp 1 ip 10.x.x.1
vrrp 1 priority 80
end
2800nm(config)#do sh vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 1 80 3687 Y Backup 10.x.x.3 10.x.x.1
2800nm(config)#int f0/0
2800nm(config-if)#vrrp 1 pri 110
2800nm(config-if)#
000061: *Apr 3 11:32:41.871: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Backup -> Master
2800nm(config-if)#do sh vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 1 110 3570 Y Master 10.x.x.2 10.x.x.1
2800nm(config-if)#

View solution in original post

luis_cordova · ‎04-02-2019

Hi @perkin ,

Check this link with some details about the VRRP versions:

https://yurmagccie.wordpress.com/2015/08/07/virtual-router-redundancy-protocol/

Regards

perkin · ‎04-03-2019

Hello Luis
Thank you and these kind of training doc I read and I know they are not compatible
But the question is do catalyst 9200L support VRRPV2?
It really confusing and this is I do not have a lab ENG to test at the moment
And harp v2 and v3 are same with mac and mcast address — but they did not like each other :-)

Any experts are welcome

Deepak Kumar · ‎04-03-2019

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Georg Pauwen · ‎04-03-2019

Hello,

as I understand it, 'fhrp version vrrp v3' effectively enables version 3 and disables version 2 (you can allow v2 devices that might still be in the network with the command '9200(config-if-vrrp)# vrrpv2', which enables v2 compatibility mode...

perkin · ‎04-03-2019

thank you, so in a formula

fhrp version vrrp v3 + VRRP2 = catlayst 9200L (w/ advance license) using VRRP V2?

[Updates] yes it does!

jalejand · ‎04-03-2019

In Polaris platforms, VRRP is configured via Unified VRRP (v3), when using address family ipv4, VRRPv2 is used, VRRPv3 is used for address family for ipv6.

This is a sample of a traditional VRRPv2 config on a router:

interface GigabitEthernet0/0/1

ip address 10.10.10.1 255.255.255.0
vrrp 1 ip 10.10.10.254
vrrp 1 priority 90
end

On 9k and 3k Polaris, it has the following syntax:

Of course, the #fhrp version vrrp v3 is needed prior this configuration.

interface Vlan10
ip address 10.10.10.2 255.255.255.0
vrrp 1 address-family ipv4
priority 110
address 10.10.10.254 primary
exit-vrrp
end

How to tell if these are compatible?

VRRP packets from ipv4 address family are the same multicast both MAC and IP:

Vlan10 - Group 1 - Address-Family IPv4
State is MASTER
State duration 3 mins 49.184 secs
Virtual IP address is 10.10.10.254
Virtual MAC address is 0000.5E00.0101
Advertisement interval is 1000 msec
Preemption enabled
Priority is 110
Master Router is 10.10.10.2 (local), priority is 110
Master Advertisement interval is 1000 msec (expires in 450 msec)
Master Down interval is unknown
FLAGS: 1/1

Take a look on a control plane capture from the Cat9200L:

VRRP1#mon cap cap control-plane out match ipv4 any any
VRRP1#mon cap cap start
Started capture point : cap
VRRP1#mon cap cap stop
Bytes dropped in asic - 0

Stopped capture point : cap
VRRP1#show mon cap cap buf bri
----------------------------------------------------------------------------
# size timestamp source destination dscp protocol
----------------------------------------------------------------------------
0 0 0.000000 10.10.10.2 -> 224.0.0.18 0 BE VRRP

In summary, you can use VRRPv2 on the Cat9200L by using the IPV4 address family

perkin · ‎04-03-2019

thanks a lot, so in your screen capture are form the live device?

appreciated!

will your screen capture of VRRP v3 (with AF IP4) just because he is the master?

can I learn from you if this VRRP V3 device (hostname VRRP1) becomes secondary when priority is lower than VRRP V2 side ?

perkin · ‎04-03-2019

I vote @jalejand as a solution since that showing the way to the solution

although I still no checkpoint secure gateway (aka FireWall) in my test LAB but I have a very old 2800 router.

lets share the love to all if they have no test lab :-)

below are all the cli and console behaviour

9200L

2800nm

9200L-Adv(config)#fhrp version vrrp v3

9200L-Adv(config)#do sh run int vlan 10
Building configuration...

Current configuration : 198 bytes
!
interface Vlan10
ip address 10.x.x.3 255.255.255.0
vrrp 1 address-family ipv4
description VRRP_V3
priority 90
vrrpv2
address 10.x.x.1 primary
exit-vrrp
end

9200L-Adv(config)#do sh vrrp bri
Interface Grp A-F Pri Time Own Pre State Master addr/Group addr
Vl10 1 IPv4 90 0 N Y MASTER 10.x.x.3(local) 10.x.x.1
9200L-Adv(config)#
.Apr 3 11:05:59.016 UTC: %VRRP-6-STATE: Vlan10 IPv4 group 1 state MASTER -> BACKUP
9200L-Adv(config)#do sh vrrp bri
Interface Grp A-F Pri Time Own Pre State Master addr/Group addr
Vl10 1 IPv4 90 3648 N Y BACKUP 10.x.x.2 10.x.x.1

2800nm(config)#do sh run int f0/0
Building configuration...

Current configuration : 272 bytes
!
interface FastEthernet0/0
ip address 10.x.x.2 255.255.255.0
vrrp 1 description VRRP_v2
vrrp 1 ip 10.x.x.1
vrrp 1 priority 80
end
2800nm(config)#do sh vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 1 80 3687 Y Backup 10.x.x.3 10.x.x.1
2800nm(config)#int f0/0
2800nm(config-if)#vrrp 1 pri 110
2800nm(config-if)#
000061: *Apr 3 11:32:41.871: %VRRP-6-STATECHANGE: Fa0/0 Grp 1 state Backup -> Master
2800nm(config-if)#do sh vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 1 110 3570 Y Master 10.x.x.2 10.x.x.1
2800nm(config-if)#

jalejand · ‎04-03-2019

Hi Perkin

That is correct, my outputs were from an actual C9200L running 16.9.2 paired along a ISR router running VRRPv2, I see that you also used an old router to test it. For the VRRP1 (current master) to become secondary, preemption is required, it is by default enabled on vrrpv2:

Vlan10 - Group 1 - Address-Family IPv4
State is MASTER
State duration 3 mins 49.184 secs
Virtual IP address is 10.10.10.254
Virtual MAC address is 0000.5E00.0101
Advertisement interval is 1000 msec
Preemption enabled

perkin · ‎04-04-2019

thanks a lot Jalejand!
even Cli, we need better UX too!