Cisco VRRPv3 IPv6 Configuration Sucks « ipSpace.internet weblog

I spent means an excessive amount of time ironing out the VRRPv3 quirks on the dozen (or so) platforms supported by netlab. That is the second weblog put up describing a number of the ridiculous stuff I needed to cope with.

That is the way you configure the essential VRRPv3 parameters for IPv4 on a Cisco IOS/XE machine:

VRRPv3 IPv4 configuration on Cisco IOS

interface GigabitEthernet0/1
  vrrp 217 address-family ipv4
    deal with 172.16.33.42

You’ll anticipate one thing related for IPv6, proper? You’d be proper in case you had been working with Arista EOS:

VRRPv3 IPv4 and IPv6 configuration on Arista EOS

interface Ethernet1
  vrrp 217 ipv4 model 3
  vrrp 217 ipv4 172.16.33.42
  vrrp 217 ipv6 2001:db8:cafe:33::2a

Nevertheless, that is how Cisco IOS expects you to configure VRRPv3 for IPv6 (IOS XE and Nexus OS aren’t any higher):

VRRPv3 IPv6 configuration on Cisco IOS

interface GigabitEthernet0/1
  vrrp 217 address-family ipv6
    deal with fe80::200:5eff:fe00:02d9 major
    deal with 2001:db8:cafe:33::2a/64

What’s occurring? Let’s look into RFC 9568:

• The definitions part defines major IP deal with as “the link-local deal with of the interface over which the packet is transmitted.”
• The description of IP addresses within the VRRP packet could be very express: “For IPv6, the primary deal with MUST be the IPv6 link-local deal with related to the Digital Router.”

To recap:

• An IPv6 VRRPv3 group should have a link-local deal with (LLA) and would possibly have a number of world IPv6 addresses.
• The LLA should be the first (first) IPv6 deal with.

That is how sane implementations cope with these necessities:

• The VRRP MAC deal with is derived from the VRRP group.
• The VRRP LLA is derived from the VRRP MAC deal with.
• The router permits you to configure further IPv6 addresses. The prefix lengths hooked up to these IPv6 addresses are ineffective; they aren’t marketed in VRRPv3 (and needs to be /64 anyway).

And that is how the Cisco IOS or Nexus OS VRRPv3-for-IPv6 configuration works:

• You MUST configure the LLA manually and use the major key phrase. You can not configure a worldwide IPv6 deal with as the first VRRPv3 deal with (they acquired this bit proper).
• Don’t attempt to cheat; VRRPv3 gained’t begin with out the major LLA.
• You can configure any LLA as the first VRRPv3 IPv6 deal with, however if you wish to interoperate with non-Cisco gadgets, you SHOULD use the MAC-derived LLA.
• In case you dream in hex, you’ll don’t have any drawback determining the LLA.
• Everybody else ought to configure the worldwide IPv6 deal with first, then do present vrrp to get the MAC deal with used along with your VRRPv3 group. Lastly, copy the final MAC deal with octet into the LLA from the above instance.
• You’ll be able to configure further IPv6 addresses, however you need to specify the prefix size.

Different implementations I needed to cope with should not significantly better; you need to specify the first LLA manually on virtually all of them. Junos and VyOS are exceptions, however Junos CLI police ^{managed to muddy the (templating) waters with AF-dependent key phrases:}

VRRPv3 IPv4 and IPv6 configuration on Junos

interfaces {
  et-0/0/0.0 {
    household inet {
      deal with 172.16.33.1/24 {
        vrrp-group 217 {
          virtual-address 172.16.33.42;
          precedence 30;
        }
      }
    }
    household inet6 {
      deal with 2001:db8:cafe:33::1/64 {
        vrrp-inet6-group 217 {
          virtual-inet6-address 2001:db8:cafe:33::2a;
          precedence 30;
        }
      }
    }
  }
}

Lastly, an honorable point out for Dell OS10 fortunately ignoring the RFC 9568 necessities and beginning VRRPv3 with a worldwide IPv6 deal with as the first VRRP deal with:

Invalid VRRPv3 configuration is accepted by Dell OS10

interface ethernet1/1/1
 vrrp-ipv6-group 217
  precedence 30
  virtual-address 2001:db8:cafe:33::2a

VRRPv3 standing on a misconfigured Dell OS10 machine

dut# present vrrp ipv6 217

Interface       : ethernet1/1/1                           IPv6 VRID            : 217
Model         : 3                                       State                : active-state
Main IP      : 2001:db8:cafe:33::2a                    Lively IP            : fe80::a4f:a9ff:fe00:56
Digital MAC     : 00:00:5e:00:02:d9                       Settle for Mode          : true
Admin Precedence  : 30                                      Operational Precedence : 30
Promote Interval(in centi secs) : 100
Preempt Standing  : true                                    Maintain Time            : 0
Digital IP deal with :
2001:db8:cafe:33::2a
active-transitions        : 2                             advertise-rcvd            : 0
advertise-interval-errors : 0                             ip-ttl-errors             : 0
priority-zero-pkts-rcvd   : 0                             priority-zero-pkts-sent   : 1
invalid-type-pkts-rcvd    : 0                             address-list-errors       : 2
pkt-length-errors         : 0
omit-skew-time : no