DCI with vPC - Problem with HSRP isolation between N5K and N7K

Thibault BRISSE · ‎04-25-2013

Hi,

I have an issue about HSRP isolation (active/active) between two datacenter.

Datacenter1

2 x Nexus 7000
vPC domain 1
Portchannel 3 (vPC) to datacenter 2 (Nexus 5000)

Datacenter2

2 x Nexus 5000 with L3 card
vPC domain 2
Portchannel 3 (vPC) to datacenter 1 (Nexus 7000)

I configured HSRP isolation according to the vpc best practices design guide :

http://www.cisco.com/en/US/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf

I applied the following PACL on the port-channel3 of Nexus 7000 and 5000 :

ip access-list HSRPv2_Filtering_DC

10 deny udp any 224.0.0.102/32 eq 1985

20 permit ip any any

Port-channel3 configuration on Nexus 7000 and 5000 is :

interface port-channel3

description port-channel to **********

switchport

switchport mode trunk

ip port access-group HSRPv2_Filtering_DC in

switchport trunk allowed vlan XXXX

spanning-tree port type normal

spanning-tree bpdufilter enable

vpc 3

About the HSRP configuration :

1 VLAN extended between the 2 datacenter
4 IP address, 1 by Nexus
1 HSRP group for the 4 Nexus
1 virtual address
Decreasing priority : N7K_01 = 200 , N7K_02 = 190 , N5K_01 = 180 , N5K_02 = 170

With the above configuration I have HSRP flapping on the Nexus 5000 only. It's as I still received HSRP hello packet.

Do you have an idea about the issue ?

Regards,

Thibault

Ming_Prince · ‎05-13-2013

I have seen this issue recently, please try the following action plan and let me know if it helps:

HSRP localization of the N5K requires using separate authentication groups.

On N5K, we recommend configuring mismatched passwords on the 2 sites to support this.

The HSRP mismatched passwords allows each N5k to only see one HSRP neighbor and that the "no ip arp gratuitous hsrp duplicate" command stops the error message about duplicate IP since we cannot block the arp response from one pair to reach the other one.

We can use the same group number and same SVI IPs and VIPs and use HSRP authentication with different passwords between sites. Please see below.

* Four Nexus 5500 in same HSRP group.

* All four Nexus 5500 function as default gateway for the VLANs.

* On Nexus 5500, Port ACL and VLAN ACL CAN NOT block HSRP hello packets

* Recommend to configure mismatched passwords on two sites to achieve HSRP localization

* Both sites will own the VIP of HSRP. Following CLI is introduced in 5.1(3)N1(1) to disable duplicate IP detection for HSRP

5548-1(config)# int vlan x

5548-1(config-if)# no ip arp gratuitous hsrp duplicate

Thibault BRISSE · ‎05-27-2013

Hi all,

I tried your solution and it works fine with the exception of this syslog message generate every 3 seconds.

%HSRP_ENGINE-4-BADAUTH: Bad authentication

It's very embarrasing, I need to find out a solution to avoid generation of these messages but ONLY for extended vlan.

On Nexus 7000 PACL (HSRP filtering) allows suppression of these messages but not on Nexus 5000 (HSRP filtering match but don't work).

Please, do you have an idea ?

Regards,

Thibault BRISSE · ‎05-27-2013

I tried to block these messages with the following mac-list without success :

mac-list VPC_HSRP_VMAC_deny seq 10 deny 0000.0c07.ac00 ffff.ffff.ff00
mac-list VPC_HSRP_VMAC_deny seq 20 deny 0000.0c9f.f000 ffff.ffff.f000
mac-list VPC_HSRP_VMAC_deny seq 30 permit 0000.0000.0000 0000.0000.0000
!
route-map VPC_HSRP_filter permit 10
match mac-list VPC_HSRP_VMAC_deny
!
interface vlan2
route-map VPC_HSRP_filter permit 10

I applied this route map to a test vlan interface (currently it is not possible to applied it on DCI portchannel) but it doesn't work.

Do you have an idea ?

Regards,

Ming_Prince · ‎05-29-2013

Hi Thibault,

On Nexus 5500, Port ACL and VLAN ACL CAN NOT block HSRP hello packets. the other thing you can try is to use different versions of HSRP on both sites. if you still issues, you may need to open a TAC case so that we can review it further. Thank you.

Steve Fuller · ‎05-29-2013

Hi,

@Ming--

On Nexus 5500, Port ACL and VLAN ACL CAN NOT block HSRP hello packets.

Is this a bug or a hardware limitation on the Nexus 5500? If it's a bug do you have the DDTS, or if it's not a bug but by design, can you tell us where this is documented?

@Thibault--

If you go along the path of using a different HSRP version at the two sites, don't forget to hard code the MAC address. HSRPv1 and HSRPv2 use different MAC addresses and so if you don't hard code the MAC address on your SVI, any hosts moved between sites will suddenly find they have the wrong MAC address for the default gateway.

Regards

katerina.dardoufa · ‎06-11-2019

Hello all!

I know this is an old post, but I was wondering if the configuration performed on N7K to isolate HSRP in two DC via DCI (Port ACL and VLAN ACL) can now be performed on N5K running 7.3(3)N1(1).

Thank you in advance,

Katerina

katerina.dardoufa · ‎06-11-2019

I also found the following post (https://community.cisco.com/t5/server-networking/nexus-5600-hsrp-design-question-for-stretched-vlans-between-2/td-p/2964094) that states:

"Due to the HW architecture on the Nexus 5600, control plane multicast packets are punted to the CPU ignoring any PACL or MAC-ACL. So with a PACL, you will not be able to filter HSRP Hellos, ARP, BPDUs, etc. which need to go to the CPU, because there is a pre-defined ACL to redirect control traffic to CPU and this ACL that takes precedence over the user-configured ACL.