This article describes how VRRP packets are processed in EX switch while a firewall filter is applied on input direction of a VLAN.
Firewall filter applied in input direction of a VLAN blocks the transit VRRP multicast packets .
On the EX switch packet filtering always happens in the hardware.
If there is a filter applied in input direction of a VLAN then each packet has to be checked against that filter even if it is transit traffic, and then sent for forwarding.
Below is an example of such scenerio where SW-5 and SW-6 are running VRRP and SW-6 has been selected as master.
SW-5 <ge-0/0/0>---vlan-10-----<ge-0/0/0> SW-7 <ge-0/0/1>---vlan-10---<ge-0/0/0> SW-6 Switch name IP address VRRP State SW-5 1.1.1.2 Backup SW-6 1.1.1.3 Master
We can verify the VRRP operation on both the switches as per below command.
root@EX-SW5> show vrrp Interface State Group VR state VR Mode Timer Type Address ge-0/0/0.0 up 0 backup Active D 3.564 lcl 1.1.1.2 vip 1.1.1.1 mas 1.1.1.3 root@EX-SW6> show vrrp Interface State Group VR state VR Mode Timer Type Address ge-0/0/0.0 up 0 master Active A 0.132 lcl 1.1.1.3 vip 1.1.1.1
We can also do the monitoring of the VRRP packet on the backup switch to make sure that it is continously receiving hello to be in backup state.
root@EX-SW5> monitor traffic interface ge-0/0/0 10:32:17.733853 In IP 1.1.1.3 > 224.0.0.18: VRRPv2-advertisement 20: vrid=0 prio=100 authtype=none intvl=1 10:32:18.673652 In IP 1.1.1.3 > 224.0.0.18: VRRPv2-advertisement 20: vrid=0 prio=100 authtype=none intvl=1
Similar monitoring can also be performed on the layer-2 switch interface connected to the master switch.
Interface traffic monitoring is showing that it is recieving VRRP hello packets from the current VRRP master.
root@EX-SW7# run monitor traffic interface ge-0/0/1 13:16:50.669407 In IP 1.1.1.3 > 224.0.0.18: VRRPv2-advertisement 20: vrid=0 prio=100 authtype=none intvl=1 13:16:51.597356 In IP 1.1.1.3 > 224.0.0.18: VRRPv2-advertisement 20: vrid=0 prio=100 authtype=none intvl=1
Now there is a filter applied on vlan 10 for permitting only host 1.1.1.3 to be able to reach to 1.1.1.10.
set firewall family inet filter permit-host term 1 from source-address 1.1.1.3/32 set firewall family inet filter permit-host term 1 from destination-address 1.1.1.10/32 set firewall family inet filter permit-host term 1 then accept set firewall family inet filter permit-host term 2 then count drop set firewall family inet filter permit-host term 2 then log set firewall family inet filter permit-host term 2 then discard
After applying the filter we could see in the firewall log that it is dropping the ICMP packet from 1.1.1.2 and also blocking the VRRP hello’s.
root@EX-SW7# run show firewall log Log : Time Filter Action Interface Protocol Src Addr Dest Addr 14:18:15 pfe D ge-0/0/0.0 VRRP 1.1.1.2 224.0.0.18 14:18:15 pfe D ge-0/0/1.0 VRRP 1.1.1.3 224.0.0.18 14:18:14 pfe D ge-0/0/0.0 ICMP 1.1.1.2 1.1.1.10
Add a term in the filter to accept the VRRP packets.
set firewall family inet filter permit-host term 2 from protocol vrrp
set firewall family inet filter permit-host term 2 then log
set firewall family inet filter permit-host term 2 then accept