Hi,

I have a question related to a problem that took a lot of time to solve. My customer has a set of firewalls and a set of load-balancers that use VRRP to provide redundancy for the gateway addresses and the virtual IPs they serve up. The vendor (the same for both, but each have a different OS platform) has a concept of a VRRP group. All of the virtual routers are advertised thus in the one VRRP advertisement (at least on this one VLAN 22) - the firewall is configured to use VRID 255 and the load-balancer uses VRID 79. 

What I found is curious is that the the source MAC address for the VRRP advertisements does not match that of the configured group VRID. Instead they use the VRID 122 as the basis of the MAC address. This is derived from two of the individual virtual routers - 111.111.234.129 on the firewall, and 172.26.22.122 on the load-balancer. (Note that 111.111.xxx.xxx is my obfuscation of the real address). Using the same VRID 122 on the two heterogeneous platforms on the one VLAN is of course a misconfiguration, which we now recognise. However the question remains is that the actual VRID 122 is never mentioned on the wire in any of the VRRP advertisements so why is the derived MAC address, 00:00:5e:00:01:7a, used instead of 00:00:5e:00:01:ff and 00:00:5e:00:01:45 (for VRIDs 255 and 79 ) not used? Is the vendor actually complying with RFC 3768 or not. I am sort of guessing that the vendor has done this to prevent using the same VLAN accross multiple VLANs, as it appears they do use the same VRRP group VRID accross multiple VLANs. Thus if they used the configured group VRID for deriving MAC addresses it might cause confusion on some switches (if they don't maintain a per VLAN forwarding table). However because we weren't seeing conflicting VRRP VRIDs in the actual advertisements, we hadn't found the problem. It was only chancing upon the fact that the firewalls were using the same source MAC as the load-balancer that we found a problem. (We found it when we were trying to install a switch between the firewall and load-balancer pairs and were experiencing high packet loss. Having the same source MAC swapping between interfaces, tied to different virtual router IPs, of course was the cause).

So again, my question is 

1. Is the vendor in violation of the RFC by choosing a source MAC based on a VRID not actually in the advertisement

2. Do other vendors using a similar arrangement when send VRRP group advertisements. (The exact algorithm in this case isn't clear to me).

The two packets below (using the Wireshark summary) are from the firewall first and the load-balancer second. It is clear they use the same source MAC but different VRIDs. I have annotating the virtual router IP address from which the used source MAC address is derived.