classic config has reachability issues
Debian 12 FRR 10.4.1 BGP and IS-IS with VRRP, i.e. old skool isp style when both routers are up, some LAN hosts are not reachable from WAN, others are; no pattern i can see. but all are reachable from within LAN. `systemctl stop frr.service` on r0, and everything is fine, i.e. reachable from WAN (well, r0 isn't unless those gateways are uncommented). i suspect vrrp issues, but have no real basis to do so. i have checked the /25 netmask everywhere. but i am sure i am doing something wrongly. clue bat appreciated. randy --- NTT Cogent | | +--------+--------+ +--------+--------+ | | | | | r0 | | r1 | | | | | +--------+--------+ +--------+--------+ | | Primary Primary & & VRRP VRRP | LAN/25 | ----------+--------------------------------------+---------- `/etc/network/interfaces` look like auto lo iface lo inet loopback # IS-IS loopback for iBGP peering auto lo:0 iface lo:0 inet static address 192.168.254.10/32 iface lo:0 inet6 static address fc00::10/128 # LAN auto eno1 iface eno1 inet static address 198.180.150.120/25 dns-nameservers 127.0.0.1 198.180.150.8 dns-search rg.net iface eno1 inet6 static address 2001:418:8006::120/64 iface eno1 vrrp 6 198.180.150.126/25 2001:418:8006::126/64 # WAN auto eno4 iface eno4 inet static address 129.250.10.158/30 # gateway 129.250.10.157 iface eno4 inet6 static address 2001:418:8000:5000::1a/126 # gateway 2001:418:8000:5000::19 IS-IS and BGP converge happily frr configs frr version 10.4.1 frr defaults traditional hostname r0.iad.rg.net log syslog informational service password-encryption service integrated-vtysh-config ! ip prefix-list export4 seq 5 permit 198.180.150.0/24 ! ipv6 prefix-list export6 seq 5 permit 2001:418:8006::/48 ! route-map accept-all permit 10 exit ! route-map deny-all deny 10 exit ! route-map transit-in4 permit 10 set community 3927:2914 exit ! route-map transit-in6 permit 10 set community 3927:386 exit ! route-map cust-in4 permit 10 set community 3927:374 exit ! route-map cust-in6 permit 10 set community 3927:376 exit ! route-map transit-out4 deny 10 match ip address prefix-list export4 exit ! route-map transit-out4 permit 20 match community comm-cust4 exit ! route-map transit-out6 deny 10 match ipv6 address prefix-list export6 exit ! route-map transit-out6 permit 20 match community comm-cust6 exit ! password 8 foo enable password 8 bar ! interface eno1 description RGnet LAN ip router isis p1 ipv6 router isis p1 isis circuit-type level-2-only vrrp 6 version 3 vrrp 6 priority 90 vrrp 6 ip 198.180.150.126 vrrp 6 ipv6 2001:418:8006::126 exit ! interface eno4 description NTT ip router isis p1 ipv6 router isis p1 isis circuit-type level-2-only isis passive exit ! interface lo ip router isis p1 ipv6 router isis p1 isis circuit-type level-2-only isis passive exit ! router bgp 3927 bgp router-id 198.180.150.120 no bgp default ipv4-unicast no bgp network import-check neighbor 129.250.10.157 remote-as 2914 neighbor 129.250.10.157 password feen neighbor 192.168.254.11 remote-as 3927 neighbor 192.168.254.11 password foon neighbor 192.168.254.11 update-source 192.168.254.10 neighbor 2001:418:8000:5000::19 remote-as 2914 neighbor 2001:418:8000:5000::19 password feen neighbor fc00::11 remote-as 3927 neighbor fc00::11 password foon neighbor fc00::11 update-source fc00::10 ! address-family ipv4 unicast network 198.180.150.0/24 neighbor 129.250.10.157 activate neighbor 129.250.10.157 route-map transit-in4 in neighbor 129.250.10.157 route-map transit-out4 out neighbor 192.168.254.11 activate neighbor 192.168.254.11 route-map accept-all in neighbor 192.168.254.11 route-map accept-all out exit-address-family ! address-family ipv6 unicast network 2001:418:8006::/48 neighbor 2001:418:8000:5000::19 activate neighbor 2001:418:8000:5000::19 route-map transit-in6 in neighbor 2001:418:8000:5000::19 route-map transit-out6 out neighbor fc00::11 activate exit-address-family exit ! router isis p1 net 47.0001.1921.6825.4010.00 exit ! bgp community-list standard comm-cust4 seq 5 permit 3927:374 bgp community-list standard comm-cust6 seq 5 permit 3927:376 bgp community-list standard comm-trans4 seq 5 permit 3927:384 bgp community-list standard comm-trans6 seq 5 permit 3927:386 ! end -30-
is-is seems to work, i.e. ibgps can find eachother via the loopbacks neighbor 192.168.254.11 remote-as 3927 etc. but i have to wonder if, given
auto lo:0 iface lo:0 inet static address 192.168.254.10/32 iface lo:0 inet6 static address fc00::10/128
maybe `etc/frr/daemons` should have isisd_options=" -A 192.168.254.10 or some analogous hack. and what about v6? randy
i observe that the v4 vrrp virtual interface on the troublesome router has an extra ipv6 address, 2001:418:8006:0:349e:1bc5:a7e8:844d/64, in the real global space 9: vrrp4-2-6@eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000 link/ether 00:00:5e:00:01:06 brd ff:ff:ff:ff:ff:ff protodown on inet 198.180.150.126/25 metric 1024 scope global vrrp4-2-6 valid_lft forever preferred_lft forever -> inet6 2001:418:8006:0:349e:1bc5:a7e8:844d/64 scope global dynamic mngtmpaddr stable-privacy valid_lft 2588868sec preferred_lft 601668sec inet6 fe80::a502:68e5:2c20:cadb/64 scope link stable-privacy valid_lft forever preferred_lft forever 10: vrrp6-2-6@eno1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000 link/ether 00:00:5e:00:02:06 brd ff:ff:ff:ff:ff:ff protodown on protodown_reason <7> inet6 2001:418:8006::126/64 metric 1024 scope global valid_lft forever preferred_lft forever inet6 fe80::77f2:a95d:8e32:730a/64 scope link stable-privacy valid_lft forever preferred_lft forever while the untroubled router does not 6: vrrp4-4-6@eno3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:00:5e:00:01:06 brd ff:ff:ff:ff:ff:ff inet 198.180.150.126/25 metric 1024 scope global vrrp4-4-6 valid_lft forever preferred_lft forever inet6 fe80::9e58:24dc:52b6:1ce9/64 scope link stable-privacy valid_lft forever preferred_lft forever 7: vrrp6-4-6@eno3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:00:5e:00:02:06 brd ff:ff:ff:ff:ff:ff inet6 2001:418:8006::126/64 metric 1024 scope global valid_lft forever preferred_lft forever inet6 fe80::9b66:4468:512:fc74/64 scope link stable-privacy valid_lft forever preferred_lft forever
problem resolved thanks to hak at routeviews. vrrp wants net.ipv4.conf.eno1.ignore_routes_with_linkdown=1 net.ipv6.conf.eno1.ignore_routes_with_linkdown=1 net.ipv6.conf.all.autoconf=0 net.ipv6.conf.vrrp4-2-6.autoconf=0 net.ipv6.conf.vrrp6-2-6.autoconf=0 i do not know where this should go in docs. randy
participants (1)
-
Randy Bush