Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1918
Views
5
Helpful
1
Replies

HSRP Issue on Nexus 9k

Go to solution
Garry Cooper
Level 1
Level 1

‎11-26-2020 01:42 AM - edited ‎11-26-2020 01:43 AM

Hi All.

I have 2 datacentres with a pair of Nexus 9k (9364c) at each site running hsrp.

With HSRP setup between the 4 site, I lose default route access to our firewall.

Default route 0.0.0.0/0 172.17.0.4 is to our firewall.

HA for the firewalls is across the 10GB InterDC layer 2 Link

 

The engineer that initially setup the Nexus9k added an acl that blocks the hsrp between the DC's

This works now and I can access the firewall by the default route, but not sure why the hsrp is not working correctly if I remove this acl.

Attached an diagram of setup

 

Any ideas guys.

 

 

IP access list HSRP_ISOLATON
5 permit ip 10.249.9.0 0.0.0.15 any log
10 deny udp any 224.0.0.2/32 eq 1985
20 deny udp any 224.0.0.102/32 eq 1985
30 deny udp any 224.0.0.18/32 eq 1985
40 permit ip any any

 

Labels:
Preview file
2570 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎11-26-2020 02:23 AM

Hi @Garry Cooper 

I suppose that you have 2x VPC domains, one in each DC. If this is true, then the HSRP isolation is required to avoid the situation of HSRP Active + HSRP Listening in one DC and HSPR Standby + HSRP Listening in the other DC.

If you arrive in this situation, then the HSRP Listening node will "try" to route the traffic (because of the vPC), but since it cannot really route, the traffic black holed.

Additional details about HSPR isolation: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/interfaces/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x_appendix_011...

 

Regards,

Sergiu

View solution in original post

1 Reply 1

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎11-26-2020 02:23 AM

Hi @Garry Cooper 

I suppose that you have 2x VPC domains, one in each DC. If this is true, then the HSRP isolation is required to avoid the situation of HSRP Active + HSRP Listening in one DC and HSPR Standby + HSRP Listening in the other DC.

If you arrive in this situation, then the HSRP Listening node will "try" to route the traffic (because of the vPC), but since it cannot really route, the traffic black holed.

Additional details about HSPR isolation: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/interfaces/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Interfaces_Configuration_Guide_7x_appendix_011...

 

Regards,

Sergiu

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card