Solved: IRB and HSRP with strange ARP behaviour

cisco4com · ‎08-15-2011

Hi,

we have the following redundancy concept at each of our core colocations:

two carrier internet connections with official ip addresses (x.x.x.x/29)
two cisco 7206 vxr routers with npe-g1 as gateway device for each carrier interconnect
two cisco 2960s switches for server connectivity - stacked
ibm server with redhat linux and two gigabit ethernet ports (one on each switch) in linux bonding mode (active/standby)
each cisco router is connected to carrier uplink device with crossover cable - interface gigabitethernet0/1
each cisco router is also connected to both switches with patch cable - interface gigabitethernet0/2 and 0/3
the gigabitethernet interface 0/2 and 0/3 are grouped with irb bridge group and spanning tree is configured with highest bridge priority
- so one interface is blocked and the router never gets the root bridge
both routers speak ospf with gateway routers on our other colocations
both routers have hsrp activated on the bvi1 interface - with the internal ip that is configured as default gateway on all servers
the official ip addresses for our servers were routed through the routers statically to the bvi1 interface

Everything works as expected. But the arp requests on the hsrp standby router for the official ip addresses of "its" carrier connection are answered by the active hsrp router and its virtual mac address of the bvi interface.

I have attached a visio drawing as png with will give an overview.

As example, the standby router for CarrierY gets a http request from wan to ip y.y.y.3

In the arp table of this router i can see the mac address of the active router for this y.y.y.3 instead of the mac address of the server which has the y.y.y.3 configured as interface bond0.0.

So the active router answers the arp request faster (or because of the hsrp with higher priority?) then the server.

Is there any way to get the active router not answering arp requests for official ip addresses of the standby router.

Or other way around, is there any way to get the standby router ignoring arp answers of the active router, because the standby router has static routes for this ip addresses?

Please have a look at the attached png file, i have inserted some configuration lines and the show arp output.

Thanks and regards,

Jonas

lgijssel · ‎08-15-2011

Hi Jonas,

This is quirte a complicated setup indeed and perhaps some more info on the routing setup would make my reasoning invalid but I think it is as follows:

Your way of thinking would be correct in a transparently bridged environment but that is not what we have here.

What you observe is caused by IRB behavior as described in the link below:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml#vlanrouting

This at least explains why mac addresses are changing when traversing routers running IRB.

The rest is a result of the def-gw you have set to the hsrp address. This makes all return traffic land on the active router.

This router will then have to bridge the packet to router y.y.y.1 and this path goes via the standby router.

regards,

Leo

View solution in original post

lgijssel · ‎08-15-2011

Hi Jonas,

This is the way in which hsrp works. Reading through your problem description, I cannot see why you have not configure a second hsrp group with the hsrp-master on the other router. Example setup:

http://docwiki.cisco.com/wiki/Internetwork_Design_Guide_--_Using_HSRP_for_Fault-Tolerant_IP_Routing#Using_HSRP_for_Fault-Tolerant_IP_Routing

This would cause traffic for y.y.y.x to be sent over the other router by default.

regards,

Leo

cisco4com · ‎08-15-2011

Hi Leo,

thanks for your answer and the provided link. I have studied the design guide. But i can not clarify, how the multi grouping feature should help in our case. I only do not want any of the hsrp router to answer an arp request to the server ip address - (the arp reply of the server itself should be applied to the arp table of the requesting router.

Do you know what i mean?

When - in the example of my previously attached image - RouterY requests the mac adress of the system with ip y.y.y.3, the server with this ip address answers. But the active hsrp router answers as well, and this is not the desired effect.

Actually we need to configure static arp entries on RouterY to get the webserver y.y.y.3 accessable from external (wan).

Maybe i have a mistake in my understanding of the actual situation, but this is what i can see from the show arp command and the hsrp documentation you provided via your link...

Best regards,

Jonas

lgijssel · ‎08-15-2011

Hi Jonas,

This is quirte a complicated setup indeed and perhaps some more info on the routing setup would make my reasoning invalid but I think it is as follows:

Your way of thinking would be correct in a transparently bridged environment but that is not what we have here.

What you observe is caused by IRB behavior as described in the link below:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_tech_note09186a0080094663.shtml#vlanrouting

This at least explains why mac addresses are changing when traversing routers running IRB.

The rest is a result of the def-gw you have set to the hsrp address. This makes all return traffic land on the active router.

This router will then have to bridge the packet to router y.y.y.1 and this path goes via the standby router.

regards,

Leo

cisco4com · ‎08-17-2011

Hi Leo,

you are right. But there is another solution in sight.

In short time, we will deploy a firewall between the routers and the servers. This firewall gets the default gateway of all servers and makes decision, which router to use for forwarding the traffic. So the hsrp feature is not needed any more.

So the static mac entries will do the work around till this change is deployed.

Thanks for your help

Jonas