HPE Community
HPE Aruba Networking & ProVision-based
1825801 Members
2322 Online
109687 Solutions
New Discussion

Re: VRRP Setup and Security

 
Ashok K Gurung
Frequent Advisor

‎11-05-2011 04:44 PM

‎11-05-2011 04:44 PM

VRRP Setup and Security

Hi

 

I am on the process of setting up VRRP on our two 5406zl switches and came across some security issue. I am starting to worry about the scenario where misconfigured vrrp router is brought up online and all of sudden network goes everywhere. I also found out that password protection part of vrrp is useless.

 

I will really appreciate if you could share your experience in this and comment on how we can best protect vrrp routers from misbehaving.

 

Thank you and looking forward to your comments.

 

 

 

0 Kudos
4 REPLIES 4
Alexi Lookin
Occasional Advisor

‎11-07-2011 06:19 PM

‎11-07-2011 06:19 PM

Re: VRRP Setup and Security

Aware of interswitch link blocking by MSTP.  In this case default VRRP router for some VLANs will point to secondary switch. VRRP and MSTP works separately.

0 Kudos
Ashok K Gurung
Frequent Advisor

‎11-08-2011 03:49 AM

‎11-08-2011 03:49 AM

Re: VRRP Setup and Security

Thanks Alexi

 

in our case we have two port trunk between switch and I saw LACP blocking one of the port rather than MSTP at this stage.

 

we also have following issue

 

in order to load balance the switches we have some vlans vrrp owner in one switch and others in another switch. we also have OSPF vlan not belonging to any VRRP as this is where uplink is connected to.

 

When I check ospf route table in third router connected/setup(upstream router) in same ospf area, I see all vlans are advertised through one switch only e.g. switchA is vrrp master for vlanA and vrrp backup for vlanB, upstream ospf router is showing path to vlanB is from SwitchA.

 

my understanding was that switch which is the vrrp master for the VLAn should be advertising directly not the swithc with vrrp back role.

e.g. If Switch A is a vrrp master for vlanA Than upstream router should see SwitchA as gateway to vlanA and if switchB is a vrrp master for vlanB than upstream router should see switchB as a gateway to vlanB. am i correct in saying this?

 

I couldn't understand why this happening, will appreciate your feedback.

 

Note:- I know its not ideal but if in case you have to run ISCSI network here, will you enable MSTP on those ports/vlan where iscsi nodes will be connected?

 

i have uploaded the file i am using to create my scenario if in case you would want to look at it.

0 Kudos
Alexi Lookin
Occasional Advisor

‎11-09-2011 12:35 AM

‎11-09-2011 12:35 AM

Re: VRRP Setup and Security

Everything looks fine or closely enough.

 

VRRP is quite simple protocol, so it is hard to make seriuos error.

 

But!

 

I set up similar scenario (couple of 5412zl core switches, two separate MSTP trees, each contained half of VLANs ) and had a problem of spontaneous migrating of default gateway to backup switch. communication to distribution/aggregation switches were made of 10GB interfaces and intercore link was 30GB aggregated trunk

 

Getting deeper with HP support, we found the reason - MSTP protocol assign the same path-cost (weigt)h for any links faster than 10GB, and sometimes MSTP decided to block intercore link, considering it as extra path; backup VRRP switch, due to link blocked, found communication broken and setup secondary core as default gateway. Assigning path cost on interswitch link LOWER than ordinary trunks resolves problem. This is the only serious caveat with VRRP.

0 Kudos
Ashok K Gurung
Frequent Advisor

‎11-25-2011 03:29 PM

‎11-25-2011 03:29 PM

Re: VRRP Setup and Security

Hi All

 

Ok I didn't had much time left so I had to deploy into production and so far so good but here is what I had to do as was getting few problems

 

1) I couldn't use "spanning-tree b11 bpdu-filter" which is connected to our firewall, vlan with ospf and not a part of VRRP. I was getting error "not applied as we get error “OSPF: RECV: Discarding invalid packet : Packet with same router id as ours". only way we could get this error message go away is by not having this command. I couldn't figure out what was the issue. oh firewall and wan routers in this vlan doesn't have stp enabled but this link goes through riverbed WAN Accelerator.

 

2) we couldn't use VRRP preempt delay feature. when we use them we get lots of vrrp errors in out log. when we looked on to with show vrrp command, we could see both master and backup router advertising itself as a master vrrp router for that vlan.

Command example

Vlan 98 vrrp vrid 98 disable

vlan 98 vrrp vrid 98 advertise-interval 2

vlan 98 vrrp vrid 98 preempt-delay-time 30

vlan 98 vrrp vrid 98 enable

 

we had to remove delay option all together. oh switches were connected and we could ping each other, telnet each other via each other interface.

 

3) we disabled STP in iscsi valn(as per best practice from our storage vendor).

4) Enabled flow control on ISCSI vlan ports.

5) Enabled LACP on ports where virtual servers are connected.

6) have iscsi vlan with highest QOS 7

7) telephone service has qos 6 and so on...

 

8) below command to setup time in switch doesn't give us Australian time. I think we are getting us time some reason(day behind). I also try adding local DC server's ip address, time zone and with different local ntp server addresses but all of them get me back wrong date and time. am I missing something here?

 

Sntp unicast

Sntp 30

Sntp server priority 1 203.188.137.97(one of the ip address of au pool).

Timesync  sntp

 

Anything I may have to worry or might want to improve about this setup and if you want to suggest me something will be much appreciated(I will ofcourse have to do the changes on our next planned down time).

 

Thank you

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.