How to Configure VRRP on Juniper

In this lesson, we will learn how to configure VRRP on Juniper devices. We will use Juniper SRX box for the lab, however the process for all Junos devices are same. So, let’s start.

We will configure –

  • Enable VRRP
  • Accept-data
  • Preemption
  • Authentication
  • Track
Configure VRRP
Configure VRRP on Juniper Router

Configuration:

Before going deeper, let’s check our current configuration.

Interface:

[edit]
root@R1# show | display set | match interface
set interfaces ge-0/0/1 unit 0 family inet address 1.1.1.2/30
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24

[edit]
root@R2# show | display set | match interface
set interfaces ge-0/0/1 unit 0 family inet address 2.2.2.2/30
set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.3/24

Routing:

[edit]
root@R1# show | display set | match routing
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.1

[edit]
root@R1# show | display set | match routing
set routing-options static route 0.0.0.0/0 next-hop 2.2.2.1

We have other configuration also. However, let’s move to the main configuration part–

VRRP configuration for Router R1:

According our plan, we will do VRRP configuration on Ge-0/0/0 interface. At Juniper, the VRRP configuration syntax is after the IP address. So, let’s use power of “edit” command here 🙂

[edit]
root@R1# edit interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24

Now, let’s configure VRRP group, which helps to run multiple VRRP. We can use any number between 0-255 as VRRP group.

[edit interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24]
root@R1# set vrrp-group 1

At this point, we will configure VRRP parameters.

[edit interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24]
root@R1# set vrrp-group 1 virtual-address 10.1.1.1

The virtual address is the gateway for all the LAN users. Now, configure priority to make this router master. We will set priority 150, default is 100.

[edit interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24]
root@R1# set vrrp-group 1 priority 150

Accept-data is another important parameter for VRRP. So, what accept-data do?

Without accept-data command, all packets are blocked except ARP. So, if you want to enable ping/ssh/Telnet/etc on virtual address (VIP), then we need to enable accept data in routers.

[edit interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24]
root@R1# set vrrp-group 1 accept-data

Also, let’s enable preemption, which helps to keep R1 master whenever it is Up and Running.

[edit interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24]
root@R1# set vrrp-group 1 preempt

For the Authentication, we have two options here. One is md5 (HMAC-MD5-96) and another is simple (Simple password).

[edit interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24]
root@Juniper-01# set vrrp-group 1 authentication-type ?
Possible completions:
  md5                  HMAC-MD5-96
  simple               Simple password

We will configure md5 here, so let’s do that. We will use Juniper as our authentication code.

[edit interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24]
root@Juniper-01# set vrrp-group 1 authentication-type md5

[edit interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24]
root@Juniper-01# set vrrp-group 1 authentication-key Juniper

For the best practice, we also can track our uplink so that if it goes does, the secondary takes over.

[edit interfaces ge-0/0/0 unit 0 family inet address 10.1.1.2/24]
root@Juniper-01# set vrrp-group 1 track interface ge-0/0/0.0 priority-cost 50

So, final configuration for R1 is –

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.1.1.2/24 {
                    vrrp-group 1 {
                        virtual-address 10.1.1.1;
                        priority 150;
                        preempt;
                        accept-data;
                        authentication-type md5;
                        authentication-key {**************SECRET-DATA}
                        track {
                            interface ge-0/0/0.0 {
                                priority-cost 50;
                            }
                        }
                    }
                }
            }
        }
    }
}

VRRP configuration for Router R2:

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.1.1.3/24 {
                    vrrp-group 1 {
                        virtual-address 10.1.1.1;
                        priority 110;
                        preempt;
                        accept-data;
                        authentication-type md5;
                        authentication-key {**************SECRET-DATA}
                    }
                }
            }
        }
    }
}

If you want, you can read more about VRRP from Juniper TechNotes.

8 thoughts on “How to Configure VRRP on Juniper”

  1. Hello,

    I have configured this topology, but when doing ping 1.1.1.1 from VPC on GNS3 getting this:
    PC1> ping 10.1.1.1
    host (10.1.1.1) not reachable

  2. address 192.168.10.2/24 {
    vrrp-group 10 {
    virtual-address 192.168.10.1;
    priority 150;
    preempt;
    accept-data;
    authentication-type md5;
    authentication-key “$9$42aJDzF/AtOHq0BREyrs2g”; ## SECRET-DATA
    track {
    interface ae0.10 {
    priority-cost 50;apllience i use

    I tested the ping from PC VPC to 192.168.10.1, still not working

    apllience i use :

    Model: vsrx
    Junos: 15.1X49-D80.4
    JUNOS Software Release [15.1X49-D80.4]

  3. Very well explained.

    Question though: is the diagram correct? It shows ge-0/0/1 as the internet facing interfaces, but the configuration statements show ge-0/0/0 as the internet facing interfaces.

    Thanks!

  4. Hi there,

    Just a question – if you have additional sw between ge-0/0/0 and client sw how you will do the tracking as ge-0/0/0 will remain UP all the time?

Leave a Comment

Your email address will not be published.

Scroll to Top