[FROG] classic config has reachability issues

Randy Bush randy at psg.com
Wed Aug 13 02:17:06 UTC 2025 

Debian 12
FRR 10.4.1
BGP and IS-IS with VRRP, i.e. old skool isp style
                                                                     
when both routers are up, some LAN hosts are not reachable from WAN,
others are; no pattern i can see.  but all are reachable from within
LAN.

`systemctl stop frr.service` on r0, and everything is fine, i.e.
reachable from WAN (well, r0 isn't unless those gateways are
uncommented).

i suspect vrrp issues, but have no real basis to do so.  i have checked
the /25 netmask everywhere.

but i am sure i am doing something wrongly.  clue bat appreciated.

randy

---

             NTT                                   Cogent            
              |                                      |               
     +--------+--------+                    +--------+--------+      
     |                 |                    |                 |      
     |       r0        |                    |       r1        |      
     |                 |                    |                 |      
     +--------+--------+                    +--------+--------+      
              |                                      |               
           Primary                                Primary            
              &                                      &               
             VRRP                                   VRRP             
              |              LAN/25                  |               
    ----------+--------------------------------------+----------

`/etc/network/interfaces` look like

    auto lo
    iface lo inet loopback
    # IS-IS loopback for iBGP peering
    auto lo:0
    iface lo:0 inet static
	    address 192.168.254.10/32
    iface lo:0 inet6 static
	    address fc00::10/128
    # LAN
    auto eno1
    iface eno1 inet static
	    address 198.180.150.120/25
	    dns-nameservers 127.0.0.1 198.180.150.8
	    dns-search rg.net
    iface eno1 inet6 static
	    address 2001:418:8006::120/64
    iface eno1
	    vrrp 6 198.180.150.126/25 2001:418:8006::126/64
    # WAN
    auto eno4
    iface eno4 inet static
	    address 129.250.10.158/30
    #       gateway 129.250.10.157

    iface eno4 inet6 static
	    address 2001:418:8000:5000::1a/126
    #       gateway 2001:418:8000:5000::19

IS-IS and BGP converge happily

frr configs

    frr version 10.4.1
    frr defaults traditional
    hostname r0.iad.rg.net
    log syslog informational
    service password-encryption
    service integrated-vtysh-config
    !
    ip prefix-list export4 seq 5 permit 198.180.150.0/24
    !
    ipv6 prefix-list export6 seq 5 permit 2001:418:8006::/48
    !
    route-map accept-all permit 10
    exit
    !
    route-map deny-all deny 10
    exit
    !
    route-map transit-in4 permit 10
     set community 3927:2914
    exit
    !
    route-map transit-in6 permit 10
     set community 3927:386
    exit
    !
    route-map cust-in4 permit 10
     set community 3927:374
    exit
    !
    route-map cust-in6 permit 10
     set community 3927:376
    exit
    !
    route-map transit-out4 deny 10
     match ip address prefix-list export4
    exit
    !
    route-map transit-out4 permit 20
     match community comm-cust4
    exit
    !
    route-map transit-out6 deny 10
     match ipv6 address prefix-list export6
    exit
    !
    route-map transit-out6 permit 20
     match community comm-cust6
    exit
    !
    password 8 foo
    enable password 8 bar
    !
    interface eno1
     description RGnet LAN
     ip router isis p1
     ipv6 router isis p1
     isis circuit-type level-2-only
     vrrp 6 version 3
     vrrp 6 priority 90
     vrrp 6 ip 198.180.150.126
     vrrp 6 ipv6 2001:418:8006::126
    exit
    !
    interface eno4
     description NTT
     ip router isis p1
     ipv6 router isis p1
     isis circuit-type level-2-only
     isis passive
    exit
    !
    interface lo
     ip router isis p1
     ipv6 router isis p1
     isis circuit-type level-2-only
     isis passive
    exit
    !
    router bgp 3927
     bgp router-id 198.180.150.120
     no bgp default ipv4-unicast
     no bgp network import-check
     neighbor 129.250.10.157 remote-as 2914
     neighbor 129.250.10.157 password feen
     neighbor 192.168.254.11 remote-as 3927
     neighbor 192.168.254.11 password foon
     neighbor 192.168.254.11 update-source 192.168.254.10
     neighbor 2001:418:8000:5000::19 remote-as 2914
     neighbor 2001:418:8000:5000::19 password feen
     neighbor fc00::11 remote-as 3927
     neighbor fc00::11 password foon
     neighbor fc00::11 update-source fc00::10
     !
     address-family ipv4 unicast
      network 198.180.150.0/24
      neighbor 129.250.10.157 activate
      neighbor 129.250.10.157 route-map transit-in4 in
      neighbor 129.250.10.157 route-map transit-out4 out
      neighbor 192.168.254.11 activate
      neighbor 192.168.254.11 route-map accept-all in
      neighbor 192.168.254.11 route-map accept-all out
     exit-address-family
     !
     address-family ipv6 unicast
      network 2001:418:8006::/48
      neighbor 2001:418:8000:5000::19 activate
      neighbor 2001:418:8000:5000::19 route-map transit-in6 in
      neighbor 2001:418:8000:5000::19 route-map transit-out6 out
      neighbor fc00::11 activate
     exit-address-family
    exit
    !
    router isis p1
     net 47.0001.1921.6825.4010.00
    exit
    !
    bgp community-list standard comm-cust4 seq 5 permit 3927:374
    bgp community-list standard comm-cust6 seq 5 permit 3927:376
    bgp community-list standard comm-trans4 seq 5 permit 3927:384
    bgp community-list standard comm-trans6 seq 5 permit 3927:386
    !
    end

-30-

More information about the frog mailing list