Can't find what you need?


• Ask the Community
• Create a Case
Reset Search
 

 

Article

VRRP transitions and IS-IS flap after implementing an ACL

« Go Back

Information

 
TitleVRRP transitions and IS-IS flap after implementing an ACL
Symptoms
As a result of implementing the below ACL on 2 VIST peers, VRRP transitions and IS-IS flap was observed:

filter acl 100 type inVsn matchType terminatingNNIOnly name "inVSN-ACL-VLAN100"
filter acl 100 enable 

filter acl i-sid 100 1000100 
filter acl ace 100 1 name "Allow-Gateway-IPs"
filter acl ace action 100 1 permit
filter acl ace ethernet 100 1 ether-type eq ip
filter acl ace ip 100 1 dst-ip mask 192.168.1.252 0.0.0.3
filter acl ace 100 1 enable
filter acl ace 100 2 name "Allow-Server-IPs"
filter acl ace action 100 2 permit
filter acl ace ethernet 100 2 ether-type eq ip
filter acl ace ip 100 2 dst-ip mask 172.16.1.0 0.0.0.3
filter acl ace 100 2 enable
filter acl ace 100 10 name "Allow-Access-Through-Firewall"
filter acl ace action 100 10 permit redirect-next-hop 172.25.1.150 vrf vrf10_fids
filter acl ace ethernet 100 10 ether-type eq ip
filter acl ace 100 10 enable


 
Environment
VOSS
All supported software releases
Cause
The issue is with ACE 10, which matches all IP traffic that is not caught by the previous 2 ACEs. ACE 10 redirects this traffic to the 172.25.1.150 address, located on a firewall. The problem is that VRRP packets (IP multicast with destination IP address of 224.0.0.18) that come in via VIST also match this ACE, and get redirected, effectively causing a loop. Looping VRRP packets caused Frame Buffer exhaustion on the Rx CPU queue, as well as egress queue drops on Queue 7 (network control) on the NNI port(s) used by VIST. Queue 7 is also used by IS-IS, and dropped IS-IS packets caused adjacency flaps.
Resolution
Add another ACE to the ACL, which would permit VRRP. The new ACE must have a number that is lower than the number of the ACE containing the "redirect-next-hop" statement. Example:

filter acl ace 100 5 name "Allow-VRRP"
filter acl ace action 100 5 permit
filter acl ace ethernet 100 5 ether-type eq ip
filter acl ace ip 100 5 ip-protocol-type eq vrrp
filter acl ace 100 5 enable

 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255