Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
751
Views
0
Helpful
1
Replies

Cisco ACE in bridged mode - ARP and Probes

Alexander Pickar
Level 1
Level 1

‎09-09-2015 07:25 AM

Hi,

 

We have ACE 30 module context in bridged mode.

Everything works fine, but the probes to the real server on the Standby are in a Failed state. After troubleshooting for a while, I have found, that this is somehow related to L2 and ARP responses.

- Routing on the client side is pointing to 10.126.120.1 (this is a HSRP IP where 10.126.120.2 and .3 are real IP addresses) - this is vlan 2750

- Routing on server side is pointing to 10.126.120.4 (this is a HSRP IP where 10.126.120.5 and .6 are real IP addresses) - this is vlan 2751

- On Active ACE module, I can ping all of the addresses, i.e. 10.126.120.1-6

- On Standby ACE module, I can ping only client side IP addresses, i.e. 10.126.120.1-3.

- On Standby ACE, I cannot ping server-side router interfaces, i.e. 10.126.120.4-6 and there is no entry in the ARP table for these IPs.

- Routers are able to ping Active ACE BVI interface IP address 10.126.120.10

- Routers are unable to ping Standby ACE BVI interface IP address 10.126.120.11

- Routers don't receive ARP for Standby ACE BVI IP address.

- When i manually trigger the ACE module failover, probes start working just fine on both ACE modules until ARP times out.

 

Is this an expected behaviour?

Do you have an explanation about this behaviour?

From loadbalancing perspective, everything is working fine.

From the Probe perspective, I expect, that the probe on Standby ACE unit is using Standby BVI IP address 10.126.120.11, it is unable to get ARP for the corresponding server route and hence fails the probe.

 

 

 

Here comes the relevant config and state from the Standby ACE module:

0cc1-ace12/dclb# show arp


Context dclb
================================================================================
IP ADDRESS      MAC-ADDRESS        Interface  Type      Encap  NextArp(s) Status
================================================================================
10.126.120.1    00.00.0c.07.ac.01  vlan2750  GATEWAY    39     182 sec      up
10.126.120.2    e0.2f.6d.2c.23.c0  vlan2750  LEARNED    37     5961 sec     up
10.126.120.3    e0.2f.6d.2c.23.80  vlan2750  LEARNED    35     5957 sec     up
10.126.120.10   e0.5f.b9.ab.8c.35  vlan2750  LEARNED    40     5955 sec     up
10.126.120.4    00.00.00.00.00.00  bvi1      GATEWAY    -       * 3 req     dn
10.126.120.11   e0.5f.b9.ab.8c.11  bvi1      INTERFACE  LOCAL     _         up
================================================================================
Total arp entries 6
0cc1-ace12/dclb#
0cc1-ace12/dclb#
0cc1-ace12/dclb# show run interface
Generating configuration....

interface vlan 2750
  description >MSFC:dc
  bridge-group 1
  fragment min-mtu 28
  access-group input BPDU
  access-group input ACL
  no shutdown
  ip route inject vlan 2750
interface vlan 2751
  description >MSFC:dclb
  bridge-group 1
  fragment min-mtu 28
  access-group input BPDU
  access-group input ACL
  no shutdown

interface bvi 1
  ip address 10.126.120.11 255.255.255.224
  peer ip address 10.126.120.10 255.255.255.224

 

Relevant router ARP table:

0cc1-s11#show ip arp vrf dclb 10.126.120.11
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.126.120.11           0   Incomplete      ARPA   
0cc1-s11#show ip arp vrf dclb 10.126.120.10
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.126.120.10           1   e05f.b9ab.8c35  ARPA   Vlan2751

 

Regards,

Alexander

 

 

Labels:
0 Helpful
1 Reply 1

Peter Koltl
Level 7
Level 7

‎09-19-2015 10:02 AM

Please attach a diagram because you might have some unnecessary elements or I don't understand all the details well.

 

A bridged HA-pair should interconnect two VLANs via two parallel paths. A single broadcast domain and a single subnet (10.126.120.0) is formed. All hosts in this broadcast domain (both servers and clients) should have the same default gateway (either 10.126.120.1 or 10.126.120.4). Layer2 traffic within the broadcast domain should use the active links in the spanning tree. Loop guard function should be disabled on the switchports (internal subinterfaces) towards the ACE. The two spanning tree instances (2750,2751) are combined into a merged spanning tree so the priorities should be tuned to fix which one (which side) is the root.

 

Please check the spanning tree port states on the links connecting towards the ACE.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card