Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1963
Views
0
Helpful
4
Replies

IRB and HSRP with strange ARP behaviour

Go to solution
cisco4com
Level 1
Level 1

‎08-15-2011 01:51 AM - edited ‎03-04-2019 01:16 PM

Hi,

we have the following redundancy concept at each of our core colocations:

  • two carrier internet connections with official ip addresses (x.x.x.x/29)
  • two cisco 7206 vxr routers with npe-g1 as gateway device for each carrier interconnect
  • two cisco 2960s switches for server connectivity - stacked
  • ibm server with redhat linux and two gigabit ethernet ports (one on each switch) in linux bonding mode (active/standby)
  • each cisco router is connected to carrier uplink device with crossover cable - interface gigabitethernet0/1
  • each cisco router is also connected to both switches with patch cable - interface gigabitethernet0/2 and 0/3
  • the gigabitethernet interface 0/2 and 0/3 are grouped with irb bridge group and spanning tree is configured with highest bridge priority
    • so one interface is blocked and the router never gets the root bridge
  • both routers speak ospf with gateway routers on our other colocations
  • both routers have hsrp activated on the bvi1 interface - with the internal ip that is configured as default gateway on all servers
  • the official ip addresses for our servers were routed through the routers statically to the bvi1 interface

Everything works as expected. But the arp requests on the hsrp standby router for the official ip addresses of "its" carrier connection are answered by the active hsrp router and its virtual mac address of the bvi interface.

I have attached a visio drawing as png with will give an overview.

As example, the standby router for CarrierY gets a http request from wan to ip y.y.y.3

In the arp table of this router i can see the mac address of the active router for this y.y.y.3 instead of the mac address of the server which has the y.y.y.3 configured as interface bond0.0.

So the active router answers the arp request faster (or because of the hsrp with higher priority?) then the server.

Is there any way to get the active router not answering arp requests for official ip addresses of the standby router.

Or other way around, is there any way to get the standby router ignoring arp answers of the active router, because the standby router has static routes for this ip addresses?

Please have a look at the attached png file, i have inserted some configuration lines and the show arp output.

Thanks and regards,

Jonas

Labels:
Preview file
53 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
lgijssel
Level 9
Level 9
In response to cisco4com

‎08-15-2011 01:06 PM

Hi Jonas,

This is quirte a complicated setup indeed and perhaps some more info on the routing setup would make my reasoning invalid but I think it is as follows:

Your way of thinking would be correct in a transparently bridged environment but that is not what we have here.

What you observe is caused by IRB behavior as described in the link below:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml#vlanrouting

This at least explains why mac addresses are changing when traversing routers running IRB.

The rest is a result of the def-gw you have set to the hsrp address. This makes all return traffic land on the active router.

This router will then have to bridge the packet to router y.y.y.1 and this path goes via the standby router.

regards,

Leo

View solution in original post

0 Helpful
4 Replies 4

Go to solution
lgijssel
Level 9
Level 9

‎08-15-2011 04:57 AM

Hi Jonas,

This is the way in which hsrp works. Reading through your problem description, I cannot see why you have not configure a second hsrp group with the hsrp-master on the other router. Example setup:

http://docwiki.cisco.com/wiki/Internetwork_Design_Guide_--_Using_HSRP_for_Fault-Tolerant_IP_Routing#Using_HSRP_for_Fault-Tolerant_IP_Routing

This would cause traffic for y.y.y.x to be sent over the other router by default.

regards,

Leo

0 Helpful

Go to solution
cisco4com
Level 1
Level 1
In response to lgijssel

‎08-15-2011 06:58 AM

Hi Leo,

thanks for your answer and the provided link. I have studied the design guide. But i can not clarify, how the multi grouping feature should help in our case. I only do not want any of the hsrp router to answer an arp request to the server ip address - (the arp reply of the server itself should be applied to the arp table of the requesting router.

Do you know what i mean?

When - in the example of my previously attached image - RouterY requests the mac adress of the system with ip y.y.y.3, the server with this ip address answers. But the active hsrp router answers as well, and this is not the desired effect.

Actually we need to configure static arp entries on RouterY to get the webserver y.y.y.3 accessable from external (wan).

Maybe i have a mistake in my understanding of the actual situation, but this is what i can see from the show arp command and the hsrp documentation you provided via your link...

Best regards,

Jonas

0 Helpful

Go to solution
lgijssel
Level 9
Level 9
In response to cisco4com

‎08-15-2011 01:06 PM

Hi Jonas,

This is quirte a complicated setup indeed and perhaps some more info on the routing setup would make my reasoning invalid but I think it is as follows:

Your way of thinking would be correct in a transparently bridged environment but that is not what we have here.

What you observe is caused by IRB behavior as described in the link below:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml#vlanrouting

This at least explains why mac addresses are changing when traversing routers running IRB.

The rest is a result of the def-gw you have set to the hsrp address. This makes all return traffic land on the active router.

This router will then have to bridge the packet to router y.y.y.1 and this path goes via the standby router.

regards,

Leo

0 Helpful

Go to solution
cisco4com
Level 1
Level 1
In response to lgijssel

‎08-17-2011 07:12 AM

Hi Leo,

you are right. But there is another solution in sight.

In short time, we will deploy a firewall between the routers and the servers. This firewall gets the default gateway of all servers and makes decision, which router to use for forwarding the traffic. So the hsrp feature is not needed any more.

So the static mac entries will do the work around till this change is deployed.

Thanks for your help

Jonas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card