David, you are so right! But how is that possible? When I capture the packets they are really protocol vrrp!! Thanks, Bit
term VRRP { from { source-prefix-list { VRRP-PL; } destination-prefix-list { MCAST-RSRVD-PL; ## this contains 224.0.0.18 } } then { count VRRP; accept; } } l...@jr4> show firewall filter LUCA Filter: LUCA Counters: Name Bytes Packets VRRP 1598 18 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Instead: l...@jr4# show firewall filter LUCA term FXP0 { from { interface fxp0.0; } then accept; } term VRRP { from { source-prefix-list { VRRP-PL; } destination-prefix-list { MCAST-RSRVD-PL; } protocol vrrp; } then { count VRRP; accept; } } [edit] l...@jr4# run clear firewall all [edit] l...@jr4# run show firewall filter LUCA Filter: LUCA Counters: Name Bytes Packets VRRP 0 0 On Thu, 2009-11-12 at 09:16 +0100, david....@orange-ftgroup.com wrote: > Did you try to replace "from protocol vrrp" by "from destination-address > 224.0.1.18" ? > > David > > > > > David Roy > Orange France - RBCI IP Technical Assistance Center > Tel. +33(0)299876472 > Mob. +33(0)685522213 > Email. david....@orange-ftgroup.com > > > -----Message d'origine----- > De : juniper-nsp-boun...@puck.nether.net > [mailto:juniper-nsp-boun...@puck.nether.net] De la part de Bit Gossip > Envoyé : mercredi 11 novembre 2009 22:11 > À : Juniper List > Objet : Re: [j-nsp] RE : VRRP packets neither counted nor logged > > Well this is getting interesting: I have enabled md5 and this is what I get > (jr4=Junos9.5 CoPP=IOS12.4): > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > $ sudo tcpdump -i eth0 dst host 224.0.0.18 > > 21:57:17.670215 IP jr4 > VRRP.MCAST.NET: AH(spi=0xabababab,seq=0x18b): > VRRPv2, Advertisement, vrid 126, prio 100, authtype ah, intvl 1s, length 20 > > 21:57:17.878430 IP copp > VRRP.MCAST.NET: VRRPv2, Advertisement, vrid 126, > prio 100, authtype #254, intvl 1s, length 50 > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > So Junos uses AH and Cisco doesn't - and of course VRRP is broken :-( > > With regards to the fw issue of my original post, the term VRRP does match > VRRP packets, at least without authentication, but it just doesn't count them! > This is proven by the fact that if I change the term action from accept to > reject, VRRP is broken. > > Thanks, > Bit. > > > > On Wed, 2009-11-11 at 20:59 +0100, david....@orange-ftgroup.com wrote: > > Does your vrrp use MD5 authentication. If Yes VRRP uses AH hearder. > > So ,The IP protocol field is 51. You need to filter to the vrrp > > multicast destination address : 224.0.1.18 and not to the protocol > > vrrp > > > > Regards, > > David > > David Roy > > Orange France - RBCI IP Technical Assistance Center > > +33(0)299876472 > > +33(0)685522213 > > david....@orange-ftgroup.com > > > > > > ______________________________________________________________________ > > De: juniper-nsp-boun...@puck.nether.net de la part de Bit Gossip > > Date: mer. 11/11/2009 18:55 > > À: Juniper List > > Objet : [j-nsp] VRRP packets neither counted nor logged > > > > > > Experts, any idea why? > > > > The firewall term VRRP matches packets because if I change the action > > to reject the vrrp status changes to master because vrrp from the > > other router are not heard anymore. > > > > Nevertheless matched packet are neither counted nor logged :-( > > > > > > > > l...@jr4> show configuration firewall filter LUCA > > > > term VRRP { > > > > from { > > > > protocol vrrp; > > > > } > > > > then { > > > > count RT-VRRP; > > > > log; > > > > accept; > > > > } > > > > } > > > > term FXP0-ACCEPT { > > > > from { > > > > interface fxp0.0; > > > > } > > > > then { > > > > count FXP0-ACCEPT; > > > > accept; > > > > } > > > > } > > > > > > > > l...@jr4> show firewall log > > > > > > > > l...@jr4> show firewall filter LUCA > > > > > > > > Filter: LUCA > > > > Counters: > > > > Name Bytes > > Packets > > > > RT-VRRP 0 > > 0 > > > > FXP0-ACCEPT 43570 > > 802 > > > > > > > > l...@jr4> show vrrp detail > > > > Physical interface: ge-1/3/0, Unit: 1, Vlan-id: 1, Address: > > 10.15.4.74/26 > > > > Index: 71, SNMP ifIndex: 135, VRRP-Traps: disabled > > > > Interface state: up, Group: 126, State: backup > > > > Priority: 100, Advertisement interval: 1, Authentication type: none > > > > Delay threshold: 100, Computed send rate: 0 > > > > Preempt: yes, Accept-data mode: yes, VIP count: 1, VIP: 10.15.4.126 > > > > Dead timer: 2.833s, Master priority: 100, Master router: 10.15.4.75 > > > > Virtual router uptime: 00:47:44 > > > > Tracking: disabled > > > > > > > > l...@jr4> monitor traffic interface ge-1/3/0 no-resolve matching "dst > > host 224.0.0.18" detail count 1 > > > > Address resolution is OFF. > > > > Listening on ge-1/3/0, capture size 1514 bytes > > > > > > > > 14:47:32.936935 In IP (tos 0xc0, ttl 255, id 0, offset 0, flags > > [none], > > proto: VRRP (112), length: 40) 10.15.4.75 > 224.0.0.18: > > VRRPv2-advertisement 20: vrid=126 prio=100 authtype=none intvl=1 > > addrs: > > 10.15.4.126 > > > > > > > > l...@jr4> show configuration interfaces lo0 > > > > unit 0 { > > > > family inet { > > > > filter { > > > > input LUCA; > > > > } > > > > address 127.0.0.1/32; > > > > address 1.1.1.1/32 { > > > > primary; > > > > preferred; > > > > } > > > > } > > > > family iso { > > > > address 49.6666.0000.0000.0000.0000.0001.00; > > > > } > > > > } > > > > > > > > l...@jr4> show configuration interfaces ge-1/3/0 > > > > vlan-tagging; > > > > link-mode full-duplex; > > > > gigether-options { > > > > no-flow-control; > > > > } > > > > unit 1 { > > > > vlan-id 1; > > > > family inet { > > > > no-redirects; > > > > policer { > > > > arp ARP-POLICER; > > > > } > > > > address 10.15.4.74/26 { > > > > vrrp-group 126 { > > > > virtual-address 10.15.4.126; > > > > advertise-interval 1; > > > > accept-data; > > > > } > > > > } > > > > } > > > > family iso; > > > > family mpls; > > > > } > > > > > > > > _______________________________________________ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > > > > > ********************************* > > This message and any attachments (the "message") are confidential and > > intended solely for the addressees. > > Any unauthorised use or dissemination is prohibited. > > Messages are susceptible to alteration. > > France Telecom Group shall not be liable for the message if altered, > > changed or falsified. > > If you are not the intended addressee of this message, please cancel it > > immediately and inform the sender. > > ******************************** > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > ********************************* > This message and any attachments (the "message") are confidential and > intended solely for the addressees. > Any unauthorised use or dissemination is prohibited. > Messages are susceptible to alteration. > France Telecom Group shall not be liable for the message if altered, changed > or falsified. > If you are not the intended addressee of this message, please cancel it > immediately and inform the sender. > ******************************** > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp