Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
3
Replies

Nexus 9508 vrrp routing question

pheloluxad
Level 1
Level 1

‎01-08-2024 02:22 AM

Lets say there are two cores, 1 and 2, both with a port channel to two different switches, po10 and po20. There's a vrrp interface vlan on both c1 and 2. Shouldn't the switches on po10 and 20 be able to ping every ip on the interface vlan that is setup as a master / backup vrrp? Second part of this, There's an acl on the egress of each. With the ACLs on the interface vlan, the switches on po10 and 20 can ping the vrrp gateway, po11 cannot ping the interface ip on the master side, or the interface ip on the backup. whereas po20 switch can ping the vrrp gateway and the interface ip on the master side. IF i remove both ACLs, they can ping everything, all interface ips on both sides and the vrrp gateway. So i know the ACL on the egress is blocking it because it's hitting the deny ip any any statement for allowed hosts, i'm trying to figure out why it's acting this way and how to trace how the traffic actually flows between the switches to the nexus boxes. The second part of that question is, why can one switch ping the vrrp interface ip, but the other can't. Is this a bug i'm not aware of? I would assume if it was truly the ACL blocking, it would be blocking everything and not just a random ip. Anyone else seen anything odd like this? EDIT:, As far as the routing goes, i'm 100% sure the ACL is blocking things so i guess i'm wondering if anyone has any good links that explains how i can trace the traffic. EG would there be traffic that hits the backup vrrp that gets routed to the primary from an endpoint? I assumed both would do the routing but the way it feels to me is it could be going in the backup and out the master somehow. Been a long say so sorry if this seems rambling.

10.0.0.0.1 192.168.1.254
Labels:
0 Helpful
3 Replies 3

Georg Pauwen
VIP
VIP

‎01-08-2024 02:41 AM

Hello,

post the running configs of both core switches, as well as a schematic drawing of your topology, showing how your devices are connected...

0 Helpful

MHM Cisco World
VIP
VIP

‎01-08-2024 03:02 AM

first Cisco recommend HSRP not VRRP 
second the HSRP in Nexus make both vPC peer as HSRP active 
so you need to add ACL to SVI in both Nexus Peer
MHM

0 Helpful

Ruben Cocheno
Spotlight
Spotlight

‎01-08-2024 03:18 AM - edited ‎01-08-2024 03:19 AM

@pheloluxad 

Perhaps the clue is on your VPC config across both switches, give a look on documents below.

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/217274-understand-virtual-port-channel-vpc-en.html

https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf

 

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful
Customers Also Viewed These Support Documents