VLAN firewall filter and VRRP packet processing in EX switch

This article describes how VRRP packets are processed in EX switch while a firewall filter is applied on input direction of a VLAN.

Firewall filter applied in input direction of a VLAN blocks the transit VRRP multicast packets .

On the EX switch packet filtering always happens in the hardware.
If there is a filter applied in input direction of a VLAN then each packet has to be checked against that filter even if it is transit traffic, and then sent for forwarding.

Below is an example of such scenerio where SW-5 and SW-6 are running VRRP and SW-6 has been selected as master.

We can verify the VRRP operation on both the switches as per below command.

We can also do the monitoring of the VRRP packet on the backup switch to make sure that it is continously receiving hello to be in backup state.

Similar monitoring can also be performed on the layer-2 switch interface connected to the master switch.
Interface traffic monitoring is showing that it is recieving VRRP hello packets from the current VRRP master.

Now there is a filter applied on vlan 10 for permitting only host 1.1.1.3 to be able to reach to 1.1.1.10.

After applying the filter we could see in the firewall log that it is dropping the ICMP packet from 1.1.1.2 and also blocking the VRRP hello’s.

Add a term in the filter to accept the VRRP packets.
set firewall family inet filter permit-host term 2 from protocol vrrp
set firewall family inet filter permit-host term 2 then log
set firewall family inet filter permit-host term 2 then accept

About the author

James Palmer

Leave a Comment