VRRP on bridge interface

operat0r · April 4, 2018, 11:22am

Hello,

I’ve been testing VRRP configuration on bridge interface and it is not working as intended.
The problem is that when everything is setup, I can see that both routers become master for the specific prefix I’ve setup VRRP.
Is there a way to make it work ? If not, what is the next best possible implementation for this?

Thank you in advance.

blajah · April 6, 2018, 7:28pm

I can confirm it works as expected. Can you provide export of config or even diagram of what you are trying to achieve?

operat0r · April 11, 2018, 8:04am

Hello ,

Basically the diagram of the network in place is this (see attached).

Right now the configurations are as follows :

/interface ethernet
set [ find default-name=ether1 ] comment="Local Admin"
set [ find default-name=sfp-sfpplus1 ] comment="Everest feed A"
set [ find default-name=sfp-sfpplus2 ] comment="Link to mg03-sw03"
set [ find default-name=sfp-sfpplus3 ] disabled=yes

/interface vrrp
add authentication=ah interface=sfp-sfpplus2 name=xxx.xxx.xxx.0/28 password=XXXXXXXX priority=150 version=2
add authentication=ah interface=sfp-sfpplus2 name=xxx.xxx.xxx.128/25 password=XXXXXXXX priority=150 version=2 vrid=5
add authentication=ah interface=sfp-sfpplus2 name=xxx.xxx.xxx.16/28 password=XXXXXXXX priority=150 version=2 vrid=2
add authentication=ah interface=sfp-sfpplus2 name=xxx.xxx.xxx.32/27 password=XXXXXXXX priority=150 version=2 vrid=3
add authentication=ah interface=sfp-sfpplus2 name=xxx.xxx.xxx.64/26 password=XXXXXXXX priority=150 version=2 vrid=4
add authentication=ah interface=sfp-sfpplus2 name=xxx.xxx.xxx.0/26 password=XXXXXXXX priority=150 version=2 vrid=10
add authentication=ah interface=sfp-sfpplus2 name=xxx.xxx.xxx.128/25 password=XXXXXXXX priority=150 version=2 vrid=12
add authentication=ah interface=sfp-sfpplus2 name=xxx.xxx.xxx.64/26 password=XXXXXXXX priority=150 version=2 vrid=11
add authentication=ah interface=sfp-sfpplus2 name=VRRP-xxx.xxx.xxx.0 password=XXXXXXXX priority=150 version=2 vrid=14
add authentication=ah interface=sfp-sfpplus4 name=VRRP-xxx.xxx.xxx.0/26 password=XXXXXXXX version=2 vrid=15
add authentication=ah interface=sfp-sfpplus4 name=VRRP-xxx.xxx.xxx.128/25 password=XXXXXXXX version=2 vrid=17
add authentication=ah interface=sfp-sfpplus4 name=VRRP-xxx.xxx.xxx.64/26 password=XXXXXXXX version=2 vrid=16
add authentication=ah interface=sfp-sfpplus4 name=VRRP-xxx.xxx.xxx.0/24 password=XXXXXXXX priority=150 version=2 vrid=18
add authentication=ah interface=sfp-sfpplus2 name=VRRP-194 password=XXXXXXXX priority=150 version=2 vrid=13
add interface=sfp-sfpplus2 name=VRRP-IPv6-1 priority=200 v3-protocol=ipv6 vrid=20

/routing bgp instance
set default as=64516 disabled=yes
add as=49683 client-to-client-reflection=no name="Everest Feed A" router-id=X.X.X.X
add as=49683 client-to-client-reflection=no name=XXXXXX router-id=X.X.X.X

/ip address
add address=X.X.X.X/30 comment="BGP point-to-point Everest" interface=sfp-sfpplus1 network=X.X.X.X
add address=xxx.xxx.xxx.12/28 comment=xxx.xxx.xxx.0/28 interface=sfp-sfpplus2 network=xxx.xxx.xxx.0
add address=xxx.xxx.xxx.14/28 interface=xxx.xxx.xxx.0/28 network=xxx.xxx.xxx.0
add address=xxx.xxx.xxx.28/28 comment=xxx.xxx.xxx.16.28 interface=sfp-sfpplus2 network=xxx.xxx.xxx.16
add address=xxx.xxx.xxx.30/28 interface=xxx.xxx.xxx.16/28 network=xxx.xxx.xxx.16
add address=xxx.xxx.xxx.60/27 comment=xxx.xxx.xxx.32/27 interface=sfp-sfpplus2 network=xxx.xxx.xxx.32
add address=xxx.xxx.xxx.62/27 interface=xxx.xxx.xxx.32/27 network=xxx.xxx.xxx.32
add address=xxx.xxx.xxx.124/26 comment=xxx.xxx.xxx.64/26 interface=sfp-sfpplus2 network=xxx.xxx.xxx.64
add address=xxx.xxx.xxx.126/26 interface=xxx.xxx.xxx.64/26 network=xxx.xxx.xxx.64
add address=xxx.xxx.xxx.252/25 comment=xxx.xxx.xxx.128/25 interface=sfp-sfpplus2 network=xxx.xxx.xxx.128
add address=xxx.xxx.xxx.254/25 interface=xxx.xxx.xxx.128/25 network=xxx.xxx.xxx.128
add address=xxx.xxx.xxx.252/24 comment=xxx.xxx.xxx.0 interface=sfp-sfpplus2 network=xxx.xxx.xxx.0
add address=xxx.xxx.xxx.60/26 comment=xxx.xxx.xxx.0 interface=sfp-sfpplus2 network=xxx.xxx.xxx.0
add address=xxx.xxx.xxx.124/26 comment=xxx.xxx.xxx.64/26 interface=sfp-sfpplus2 network=xxx.xxx.xxx.64
add address=xxx.xxx.xxx.252/25 comment=xxx.xxx.xxx.128/25 interface=sfp-sfpplus2 network=xxx.xxx.xxx.128
add address=xxx.xxx.xxx.62 interface=xxx.xxx.xxx.0/26 network=xxx.xxx.xxx.0
add address=xxx.xxx.xxx.126 interface=xxx.xxx.xxx.64/26 network=xxx.xxx.xxx.64
add address=xxx.xxx.xxx.254 interface=xxx.xxx.xxx.128/25 network=xxx.xxx.xxx.128
add address=xxx.xxx.xxx.254/24 interface=VRRP-194 network=xxx.xxx.xxx.0
add address=xxx.xxx.xxx.252/24 comment=xxx.xxx.xxx.0 interface=sfp-sfpplus2 network=xxx.xxx.xxx.0
add address=xxx.xxx.xxx.254/24 interface=VRRP-xxx.xxx.xxx.0 network=xxx.xxx.xxx.0
add address=xxx.xxx.xxx.60/26 comment=xxx.xxx.xxx.0/26 interface=sfp-sfpplus4 network=xxx.xxx.xxx.0
add address=xxx.xxx.xxx.124/26 comment=xxx.xxx.xxx.64/26 interface=sfp-sfpplus4 network=xxx.xxx.xxx.64
add address=xxx.xxx.xxx.252/25 comment=xxx.xxx.xxx.128/25 interface=sfp-sfpplus4 network=xxx.xxx.xxx.128
add address=xxx.xxx.xxx.62 interface=VRRP-xxx.xxx.xxx.0/26 network=xxx.xxx.xxx.62
add address=xxx.xxx.xxx.127 interface=VRRP-xxx.xxx.xxx.64/26 network=xxx.xxx.xxx.127
add address=xxx.xxx.xxx.254 interface=VRRP-xxx.xxx.xxx.128/25 network=xxx.xxx.xxx.254
add address=xxx.xxx.xxx.252/24 comment=xxx.xxx.xxx.0/24 interface=sfp-sfpplus4 network=xxx.xxx.xxx.0
add address=xxx.xxx.xxx.254 interface=VRRP-xxx.xxx.xxx.0/24 network=xxx.xxx.xxx.254

The concept is the same for router 2.
I am using public IP’s for the server clusters bellow.
So basically, what I want to achieve is to bridge two interfaces (lets say sfp-plus 4 and 5), and have VRRP on this bridge.

Right now I have removed all configurations for bridge.But I follow the steps bellow:

Add new Bridge
Add ports to bridge
Assign VRRP interface to Bridge

Doing so results in both VRRP to become masters.
I will try to create a new configuration and upload it here with the bridge setup, when i have time.

Thank you

sri2007 · April 24, 2018, 1:14pm

Hi, I’ll probably double check auth password on both sides, and I could also check if I can see this remote router as a LLDP neighbor too, the only way that two VRRP neighbors won’t become master/backup is that they are not able to communicate between them, there are firewall rules that can block this traffic too, the VRRP multicast address is 224.0.0.18

idlemind · April 24, 2018, 7:29pm

Also, the VRRP addresses in IPv4 should be /32’s and /128’s for IPv6. If not, the router ends up with 2 interfaces that have the same network defined. The VRRP interface will get it’s own link-local address automatically and will be reachable there. Additionally, you can if you want set a global unicast address to be shared like in IPv4.

/interface vrrp add interface=bridge1 version=3 name=vrrp-v4-bridge1
/ip address add interface=bridge1 address=10.99.99.254/24
/ip address add interface=vrrp-v4-bridge1 address=10.99.99.1/32

# ipv6
/interface vrrp add interface=bridge1 version=3 v3-protocol=ipv6 vrid=6 name=vrrp-v6-bridge1
/ipv6 address add interface=bridge1 address=2001:db8::254/64
/ipv6 address add interface=vrrp-v6-bridge1 address=2001:db8::1/128

operat0r · May 3, 2018, 11:55am

Having tried tweaking various settings to make things work, I’m still not able to make VRRP work on bridge.
Bellow is the current configuration:

/interface bridge
add fast-forward=no name=bridge-vlan protocol-mode=none

/interface vlan
add interface=sfp-sfpplus4 name=vlan100 vlan-id=100

/interface vrrp
add authentication=ah interface=vlan100 name=VRRP-x.x.x.x/24 password=xxxxxxx priority=250 version=2 vrid=18

add address=x.x.x.x/24 comment=x.x.x.x/24 interface=vlan100 network=x.x.x.0
add address=x.x.x.254 interface=VRRP-x.x.x.0/24 network=x.x.x.254

Adding port sfpplus4 (which is the physical interface connected to a cisco switch) to the bridge results in lost of connectivity of end users.
Adding port vlan100 to the bridge results in lost of connectivity of end users.

I really don’t know what I’m doing wrong here.

To fully understand my case consider the next :

2 routers with several networks (all public networks).
Two uplinks to 2 different ISP’s (full BGP routing).
VRRP interfaces. For the testing of vlans and bridge, I have created a test vlan 100.
VRRP for the specific network is bound to interface vlan 100 (on both routers).
IP addresses for networks. For aforementioned network lets say it is 111.111.111.0/24.
Add ip address 111.111.111.252/24 interface vlan 100
Add ip address 111.111.111.254/32 interface VRRPinterface.

Current configuration with vlan100 works. But I’m trying to figure out how to add multiple vlans for the same interface and also untagged traffic (native vlan).
I’ve read that the correct way to do this is via bridge and this is why im trying to figure out how to set it up.
Any help will be highly appreciated.

Thank you.

dario111 · August 11, 2020, 10:29pm

Hi,

the topic is pretty old, but I had the same trouble this evening.

I have c3750 <=> LACP 2ports <=> Mikrotik CRS354
C3750 IOS is 12.2.58(SE2)
RouterOS is 6.47.1

VLAN1000 is trunked on both sides; on Cisco on PortChannel interface, on Mikrotik on bond interface.
On Mikrotik that vlan is bridged with 3 phy ports and VRRP interface is configured bridge. VRRP VIP is /32.

I had Master on both sides until I changed VRRP protocol from v3 to v2 on Mikrotik and kept IPv4 of course.
It instantly went to backup as it’s higher prio on Cisco side set.