Re: Traffic distribution Bridge domain members

celestin.kouacou1 · ‎04-07-2022

Hello,
I have 2*ASR9006 connected to 2*Juniper SRX , as described in the picture.
Both SRXs are working in active-standby mode (SRX01 is active and SRX02 standby)
A bridge domain is configured between both ASRs and both SRXs. VRRP running between both ASRs.
The normal downling traffic flow is: ISP -> ASR02 -ASR01 ->SRX01.
SRX02 is standby, so no MAC address learned by ASR02 on the interface Hu0/3/0/0.
For some unknown reasons, ASR02 sends traffic to SRX02 on it passive interface.

*** ASR02 Config ****
vrf Internet_vr
address-family ipv4 unicast
import route-target
65100:704
!
export route-target
65100:704
!
interface Loopback1
vrf Internet_vr
ipv4 address 172.25.31.50 255.255.255.255
!
interface BVI36
description Gi_to_Internet
bandwidth 100000000
mtu 9216
vrf Internet_vr
ipv4 address 172.25.31.34 255.255.255.248
!
interface HundredGigE0/1/0/1.36 l2transport
description Gi_to_Internet
encapsulation dot1q 36 exact
rewrite ingress tag pop 1 symmetric
!
interface HundredGigE0/3/0/0.36 l2transport
description Gi_to_Internet
encapsulation dot1q 36 exact
rewrite ingress tag pop 1 symmetric
!
interface HundredGigE0/3/0/2.999
description Internet_ISP2
vrf Internet_vr
ipv4 address 172.25.31.45 255.255.255.252
encapsulation dot1q 999
!
l2vpn
load-balancing flow src-dst-ip
bridge group IRB
bridge-domain IRB-Gi_to_Internet
interface Bundle-Ether1.36
interface HundredGigE0/1/0/1.36
interface HundredGigE0/3/0/0.36
routed interface BVI36
!
router vrrp
interface BVI36
address-family ipv4
vrrp 35 version 3
priority 253
preempt delay 15
timer 4
address 172.25.31.35
!

Regards

Kouacou Célestin

JimWicks · ‎04-08-2022

If the AR02 is sending the packets out on the 0/3/0/0 interface then that is probably because it's being flooded to all access-ports within the bridge-domain. What does the config of ASR01 look like and also do you see VRRP neighbour over the back-2-back Hu0/1/0/1.36 ??

You should be able to looks in the mac-table on the AR02 and AR01 and make sure that the SRX appears reachable via the expected access-interface, do you see anything shown there ??

MHM Cisco World · ‎04-08-2022

this abnormal traffic due to ICMP redirect message send from the Router inform the PC that there is L3 better than me for forward traffic.

celestin.kouacou1 · ‎04-08-2022

Hi MHM Cisco World,
Thanks for your reply.
I'm not sure that this is ICMP redirect message.
The graph from the monitoring tool, shows very high traffic on that link.

[cid:image001.png@01D84B6D.1DA9B7D0]

Regards
Kouacou Célestin

MHM Cisco World · ‎04-08-2022

Due to icmp redirect,

host send to GW asr01,

GW asr01 will send icmp redirect to this host inform it that best GW is asr02,

Now host will use asr02 not asr01 even if it at first use asr01.

This make traffic shift to asr02.

Check is asr01 send icmp redirect messages.

celestin.kouacou1 · ‎04-11-2022

Hi MHM Cisco World,

I’m not allowed to perform a debug on the system for the moment because it is in production.

I will do the debug once I get the approval.

But I still think that this is not due to ICMP redirect.

Let me explain again:

I have 2 ASRs and 2 Juniper SRXs running in cluster mode (Active and Standby).

See the network topology for more details.

ASR02 which is connected to SRX02, is not learning MAC addresses because SRX02 is in standby mode. SRX02 is just UP with no IP and no MAC address on it interface connected to ASR02

SRX01(connected to ASR01) is the active node in the cluster, with IP/Mac address.

MAC and ARP learned by ASR02 are from the link connected to ASR01. Never on the link to SRX02 (standby)

Regards

Kouacou Célestin