<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div class=""><span style="font-family: Verdana; font-size: 12px;" class="">
</span></div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 26 Jun 2018, at 12:19 pm, Rob Thomas <<a href="mailto:xrobau@gmail.com" class="">xrobau@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-AU" class=""><div class="gmail-m_9060850220474390346WordSection1"><br class=""><p class="MsoNormal">Can a pair of Mikrotik routers be configured for a *<b class="">reliable</b>* HA scenario ?<u class=""></u><u class=""></u></p><p class="MsoNormal"><u class=""></u> </p></div></div></blockquote></div></div><div class="gmail_extra"><br class=""></div><div class="gmail_extra">Yep, using VRRP, they work really well. You don't even need any 'tricky' bits - for example, if you bind your BGP to the floating IP address, it won't start the BGP session until the IP address is present.</div><div class="gmail_extra"><br class=""></div><div class="gmail_extra">One small warning: If you use VRRP (which puts the interface into promiscuous mode), *and* you're using VMware to run them on, *AND* you're using VDS for your switch configuration, you will get duplicate ICMP responses when you ping the routers.</div><div class="gmail_extra"><br class=""></div><div class="gmail_extra">This is vaguely handwaved away by vmware in <a href="https://kb.vmware.com/s/article/2144849" class="">https://kb.vmware.com/s/article/2144849</a> as 'expected', and it IS only ICMP, normal TCP and UDP packets seem fine, and it's only to IP addresses that terminate AT the router, not for traffic through it.</div></div></div></blockquote><div><br class=""></div><div><br class=""></div><div>Hi Rob,</div><div> I had/have this issue with a virtual PfSense firewall and CARP. (I am on cisco UCS with 10 Gig connectivity.) </div><div>I had both nics in my VDS as primary. What I did was move one nic to be Standby for the Vds portgroup and that fixed the DUP issue. The redundancy is still there…..you just don’t get to load balance across both nics but with 10 Gig and up, that is not really an issue like it was with 1 Gbps connections.</div><div><br class=""></div><div>Cheers,</div><div> David</div><div><br class=""></div><div><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><div class="gmail_extra"><br class=""></div><div class="gmail_extra">So, the quick runthrough is create a VRRP interface, bind it to a physical (or vlan), assign a bogus IP address to each physical interface - I habitually use rfc6598 address space of <a href="http://100.64.0.0/10" class="">100.64.0.0/10</a> - and then assign (the same!) floating IP Address to the VRRP interface on both nodes.</div><div class="gmail_extra"><br class=""></div><div class="gmail_extra">There are VRRP triggers you can run (there's a 'scripts' value) so you can do a webhook or something if the link changes.</div><div class="gmail_extra"><br class=""></div><div class="gmail_extra">I also recommend the CCR's - theyre' a great piece of hardware.</div><div class="gmail_extra"><br class=""></div><div class="gmail_extra">--Rob</div><div class="gmail_extra"><br class=""></div><div class="gmail_extra"><br class=""></div><div class="gmail_extra"><br class=""></div></div>
_______________________________________________<br class="">AusNOG mailing list<br class=""><a href="mailto:AusNOG@lists.ausnog.net" class="">AusNOG@lists.ausnog.net</a><br class="">http://lists.ausnog.net/mailman/listinfo/ausnog<br class=""></div></blockquote></div><br class=""></body></html>