I have a VRR (svi's on two routers, across the peerlink of a multi-chassis lag) and I cannot ping the real IP of one of the interfaces.


Topology basically matches this - https://docs.cumulusnetworks.com/display/DOCS/Virtual+Router+Redundancy+-+VRR
(fewer hosts currently)

Switch1
auto peerlink
iface peerlink
alias csw_crossbar
bond-slaves swp52 swp53
bridge-vids 2-2000
mtu 9216
auto peerlink.4094
iface peerlink.4094
address 169.254.1.2/30
alias csw_crossbar.4094
clagd-backup-ip 10.10.26.22 vrf mgmt
clagd-peer-ip 169.254.1.1
clagd-priority 1000
clagd-sys-mac 44:38:39:ff:01:01
mtu 9216
auto vlan109
iface vlan109
address (public).2/24
address-virtual 00:00:5e:00:01:01 (public).1/24
alias OUTSIDE
mtu 9216
vlan-id 109
vlan-raw-device bridge

Switch2
auto peerlink
iface peerlink
alias csw_crossbar
bond-slaves swp52 swp53
bridge-vids 2-2000
mtu 9216
auto mgmt
iface mgmt
address 127.0.0.1/8
vrf-table auto
auto peerlink.4094
iface peerlink.4094
address 169.254.1.1/30
alias csw_crossbar
clagd-backup-ip 10.10.26.12 vrf mgmt
clagd-peer-ip 169.254.1.2
clagd-priority 2000
clagd-sys-mac 44:38:39:ff:01:01
mtu 9216

auto vlan109
iface vlan109
address (public).3/24
address-virtual 00:00:5e:00:01:01 (public).1/24
alias OUTSIDE
mtu 9216
vlan-id 109
vlan-raw-device bridge

I can ping/trace in from the Internet to the .1 or .2 interface but not the .3 interface.
If I source a ping from the "vlan109" interface on Switch2, I cannot reach anything other than the vlan109 interface IP on Switch1.
I have other interfaces between the switches and can test to/from them without issue.
I have valid routes for all the interfaces on both switches & the /29 that the /24 is known in the public internet.
Suggestions?

4 replies

Userlevel 3
Hi Troy,

I assume there is a vlan-aware bridge in the configs as well, since the vlan interface is referencing it? What does the output of 'clagctl -v' show? How about 'arp -a'?
The other thing you can do is run tcpdump on one side, and try the pings, then you will see what address they are being sourced from. Please share the output, and we will see what's going on.
Userlevel 4
Have not seen any updates here either but my guess is something is wrong with switch2 and the .1 address is just switch 1 responding. In addition to what Jason Guy asked for maybe do a "mstpctl showport bridge" so we can see STP state. I don't think CLAG is online and working.
I had to remove much of the configuration so that the users on the network were operational. My current hypothesis is that the configurations are correct but I have a problem with switch2 that I'm still working through/around the users.
CLAG was showing active & valid peer states (one primary, one secondary and valid/matching vlans throughout - I was using net show clag verbose v clagctl -v but I believe those are the same). I did/do have a bond that is not full yet due to a bad cable but on the items that were dual-connected and configured we had matching CLAG IDs, vlans, etc.
I will circle back once we have a quiet time to do more troubleshooting.
It was an issue with the control plane acl - I was getting a bit to restrictive. Thanks for you time guys.

Reply