I have an issue about HSRP isolation (active/active) between two datacenter.
I configured HSRP isolation according to the vpc best practices design guide :
I applied the following PACL on the port-channel3 of Nexus 7000 and 5000 :
ip access-list HSRPv2_Filtering_DC
10 deny udp any 220.127.116.11/32 eq 1985
20 permit ip any any
Port-channel3 configuration on Nexus 7000 and 5000 is :
description port-channel to **********
switchport mode trunk
ip port access-group HSRPv2_Filtering_DC in
switchport trunk allowed vlan XXXX
spanning-tree port type normal
spanning-tree bpdufilter enable
About the HSRP configuration :
With the above configuration I have HSRP flapping on the Nexus 5000 only. It's as I still received HSRP hello packet.
Do you have an idea about the issue ?
I have seen this issue recently, please try the following action plan and let me know if it helps:
HSRP localization of the N5K requires using separate authentication groups.
On N5K, we recommend configuring mismatched passwords on the 2 sites to support this.
The HSRP mismatched passwords allows each N5k to only see one HSRP neighbor and that the "no ip arp gratuitous hsrp duplicate" command stops the error message about duplicate IP since we cannot block the arp response from one pair to reach the other one.
We can use the same group number and same SVI IPs and VIPs and use HSRP authentication with different passwords between sites. Please see below.
* Four Nexus 5500 in same HSRP group.
* All four Nexus 5500 function as default gateway for the VLANs.
* On Nexus 5500, Port ACL and VLAN ACL CAN NOT block HSRP hello packets
* Recommend to configure mismatched passwords on two sites to achieve HSRP localization
* Both sites will own the VIP of HSRP. Following CLI is introduced in 5.1(3)N1(1) to disable duplicate IP detection for HSRP
5548-1(config)# int vlan x
5548-1(config-if)# no ip arp gratuitous hsrp duplicate
I tried your solution and it works fine with the exception of this syslog message generate every 3 seconds.
%HSRP_ENGINE-4-BADAUTH: Bad authentication
It's very embarrasing, I need to find out a solution to avoid generation of these messages but ONLY for extended vlan.
On Nexus 7000 PACL (HSRP filtering) allows suppression of these messages but not on Nexus 5000 (HSRP filtering match but don't work).
Please, do you have an idea ?
I tried to block these messages with the following mac-list without success :
mac-list VPC_HSRP_VMAC_deny seq 10 deny 0000.0c07.ac00 ffff.ffff.ff00
mac-list VPC_HSRP_VMAC_deny seq 20 deny 0000.0c9f.f000 ffff.ffff.f000
mac-list VPC_HSRP_VMAC_deny seq 30 permit 0000.0000.0000 0000.0000.0000
route-map VPC_HSRP_filter permit 10
match mac-list VPC_HSRP_VMAC_deny
route-map VPC_HSRP_filter permit 10
I applied this route map to a test vlan interface (currently it is not possible to applied it on DCI portchannel) but it doesn't work.
Do you have an idea ?
On Nexus 5500, Port ACL and VLAN ACL CAN NOT block HSRP hello packets. the other thing you can try is to use different versions of HSRP on both sites. if you still issues, you may need to open a TAC case so that we can review it further. Thank you.
On Nexus 5500, Port ACL and VLAN ACL CAN NOT block HSRP hello packets.
Is this a bug or a hardware limitation on the Nexus 5500? If it's a bug do you have the DDTS, or if it's not a bug but by design, can you tell us where this is documented?
If you go along the path of using a different HSRP version at the two sites, don't forget to hard code the MAC address. HSRPv1 and HSRPv2 use different MAC addresses and so if you don't hard code the MAC address on your SVI, any hosts moved between sites will suddenly find they have the wrong MAC address for the default gateway.
I know this is an old post, but I was wondering if the configuration performed on N7K to isolate HSRP in two DC via DCI (Port ACL and VLAN ACL) can now be performed on N5K running 7.3(3)N1(1).
Thank you in advance,
I also found the following post (https://community.cisco.com/t5/server-networking/nexus-5600-hsrp-design-question-for-stretched-vlans-between-2/td-p/2964094) that states:
"Due to the HW architecture on the Nexus 5600, control plane multicast packets are punted to the CPU ignoring any PACL or MAC-ACL. So with a PACL, you will not be able to filter HSRP Hellos, ARP, BPDUs, etc. which need to go to the CPU, because there is a pre-defined ACL to redirect control traffic to CPU and this ACL that takes precedence over the user-configured ACL.