SSW VRRP Split-Brain Scenario
ActivePublic
Actions

Authored by cmooney on Mar 4 2026, 9:07 AM.

Tags

None

Referenced Files

	F72630763: SSW VRRP Split-Brain Scenario
	Mar 6 2026, 4:58 AM

	F72495170: raw-paste-data.txt
	Mar 4 2026, 9:08 AM

	F72495163: raw-paste-data.txt
	Mar 4 2026, 9:07 AM

Subscribers

None

	# This will occur if the EVPN IBGP peering between the two Spine switches is disabled, when both Spines are connected to CR routers which are acting as the gateway for row-wide vlans using VRRP.

	# The reason is with the BGP down the Spines don't know the other is part of the Vlan, so don't forward the VRRP packets coming from one CR to the other. When neither CR sees the other's VRRP keepalives, both promote themselves to master.

	# It turns out - in normal circumstances - this causes no problem. EVPN is used to distribute MACs, not regular L2 learning, and we use IBGP, so Leaf's do not re-announce a MAC learnt from one spine to to the other. Each Spine only sees the VRRP MAC on its local CR uplink port, and if a Leaf sends it traffic for it it will send it out that port to the CR. The CR is happy in either case as both think they are master.

	cmooney@re0.cr1-eqiad> show vrrp summary \| match et-1/0/5
	et-1/0/5.1003 up 3 master Active lcl 208.80.154.66
	et-1/0/5.1003 up 3 master Active lcl 2620:0:861:3:fe00::1
	et-1/0/5.1004 up 4 master Active lcl 208.80.155.98
	et-1/0/5.1004 up 4 master Active lcl 2620:0:861:4:fe00::1
	et-1/0/5.1019 up 19 master Active lcl 10.64.32.2
	et-1/0/5.1019 up 19 master Active lcl 2620:0:861:103:fe00::1
	et-1/0/5.1020 up 20 master Active lcl 10.64.48.2
	et-1/0/5.1020 up 20 master Active lcl 2620:0:861:107:fe00::1
	et-1/0/5.1022 up 22 master Active lcl 10.64.36.2
	et-1/0/5.1022 up 22 master Active lcl 2620:0:861:106:fe00::1
	et-1/0/5.1023 up 23 master Active lcl 10.64.53.2
	et-1/0/5.1023 up 23 master Active lcl 2620:0:861:108:fe00::1


	cmooney@re0.cr2-eqiad> show vrrp summary \| match et-1/0/5
	et-1/0/5.1003 up 3 master Active lcl 208.80.154.67
	et-1/0/5.1003 up 3 master Active lcl 2620:0:861:3:fe00::2
	et-1/0/5.1004 up 4 master Active lcl 208.80.155.99
	et-1/0/5.1004 up 4 master Active lcl 2620:0:861:4:fe00::2
	et-1/0/5.1019 up 19 master Active lcl 10.64.32.3
	et-1/0/5.1019 up 19 master Active lcl 2620:0:861:103:fe00::2
	et-1/0/5.1020 up 20 master Active lcl 10.64.48.3
	et-1/0/5.1020 up 20 master Active lcl 2620:0:861:107:fe00::3
	et-1/0/5.1022 up 22 master Active lcl 10.64.36.3
	et-1/0/5.1022 up 22 master Active lcl 2620:0:861:106:fe00::2
	et-1/0/5.1023 up 23 master Active lcl 10.64.53.3
	et-1/0/5.1023 up 23 master Active lcl 2620:0:861:108:fe00::2


	# The Spines actually don't care about this though, each of them learns the VRRP virtual MAC on it's directly connected CR port. Because they are not learning the remote one over BGP they don't complain about a duplicate MAC:

	A:ssw1-d1-eqiad# show network-instance * bridge-table mac-table mac 00:00:5E:00:01:14
	-------------------------------------------------------------------------------------------
	Mac-table of network instance vlan-1020
	-------------------------------------------------------------------------------------------
	Mac : 00:00:5E:00:01:14
	Destination : ethernet-1/32.1020
	Dest Index : 36
	Type : learnt
	Programming Status : Success
	Aging : 1120
	Last Update : 2026-03-04T08:49:32.000Z
	Duplicate Detect time : N/A
	Hold down time remaining: N/A
	-------------------------------------------------------------------------------------------

	A:ssw1-d8-eqiad# show network-instance * bridge-table mac-table mac 00:00:5E:00:01:14
	-------------------------------------------------------------------------------------------
	Mac-table of network instance vlan-1020
	-------------------------------------------------------------------------------------------
	Mac : 00:00:5E:00:01:14
	Destination : ethernet-1/32.1020
	Dest Index : 34
	Type : learnt
	Programming Status : Success
	Aging : 1196
	Last Update : 2026-03-04T08:41:29.000Z
	Duplicate Detect time : N/A
	Hold down time remaining: N/A
	-------------------------------------------------------------------------------------------


	# The Leaf switch duely learns the MAC from both Spine switches,

	A:lsw1-d3-eqiad# show network-instance default protocols bgp routes evpn route-type 2 mac-address 00:00:5E:00:01:14 summary
	-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
	Show report for the BGP route table of network-instance "default"
	-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
	Status codes: u=used, *=valid, >=best, x=stale, b=backup
	Origin codes: i=IGP, e=EGP, ?=incomplete
	-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
	BGP Router ID: 10.64.128.27 AS: 64814 Local AS: 64814
	-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
	Type 2 MAC-IP Advertisement Routes
	+-------+-----------------+--------+------------------+------------+--------------+--------------+---------+-------------------------------+--------------+
	\| Statu \| Route- \| Tag-ID \| MAC-address \| IP-address \| neighbor \| Next-Hop \| Label \| ESI \| MAC Mobility \|
	\| s \| distinguisher \| \| \| \| \| \| \| \| \|
	+=======+=================+========+==================+============+==============+==============+=========+===============================+==============+
	\| u*> \| 10.64.128.17:10 \| 0 \| 00:00:5E:00:01:1 \| 0.0.0.0 \| 10.64.128.17 \| 10.64.128.17 \| 2001020 \| 00:00:00:00:00:00:00:00:00:00 \| - \|
	\| \| 20 \| \| 4 \| \| \| \| \| \| \|
	\| u*> \| 10.64.128.18:10 \| 0 \| 00:00:5E:00:01:1 \| 0.0.0.0 \| 10.64.128.18 \| 10.64.128.18 \| 2001020 \| 00:00:00:00:00:00:00:00:00:00 \| Seq:7 \|
	\| \| 20 \| \| 4 \| \| \| \| \| \| \|
	+-------+-----------------+--------+------------------+------------+--------------+--------------+---------+-------------------------------+--------------+


	# In fact the Leaf is going to ECMP between these two, so it turns the normal VRRP active/passive traffic path into an active/active one.

Event Timeline

cmooney created this paste.Mar 4 2026, 9:07 AM

cmooney edited the content of this paste. (Show Details)

cmooney mentioned this in T411054: Nokia SR-Linux DHCP Relay Bug.Mar 4 2026, 9:20 AM

cmooney changed the title of this paste from untitled to SSW VRRP Split-Brain Scenario.Mar 6 2026, 4:58 AM

cmooney edited the content of this paste. (Show Details)

cmooney mentioned this in T420180: Drain ssw1-d1-eqiad and reset BGP EVPN sessions to force new vxlan tunnel establishment.Mar 16 2026, 9:51 AM

cmooney mentioned this in T420351: Drain ssw1-d8-eqiad and reset BGP EVPN sessions to force new vxlan tunnel establishment.Mar 17 2026, 1:43 PM

SSW VRRP Split-Brain ScenarioActivePublicActions

Event Timeline

SSW VRRP Split-Brain Scenario
ActivePublic
Actions