Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1490
Views
5
Helpful
1
Replies

Nexus 5600 HSRP design question for stretched vlans between 2 vPc domains.

Go to solution
Arjen K
Level 1
Level 1

‎10-20-2016 02:06 AM

For our new datacenter network I have 4 Nexus 5672UP's in two datacenters. Between the datacenters is a redundant vPc with 2x10Gb fibers. I've configured two VPC domains, one for each datacenter. I have read that HSRP within a VPC domain is active/active, however I wonder what would be the proper way to configure the HSRP setup for the stretched VLAN's since they are in two different vPc domains?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tyler Jeffords
Cisco Employee
Cisco Employee

‎10-20-2016 02:55 AM

If you need FHRP isolation between the sites, this can be achieved by configuring HSRP authentication at one site therefore stopping the HSRP hellos between the sites from being processed and allowing each site to act in Active/Standby state. Due to the HW architecture on the Nexus 5600, control plane multicast packets are punted to the CPU ignoring any PACL or MAC-ACL. So with a PACL, you will not be able to filter HSRP Hellos, ARP, BPDUs, etc. which need to go to the CPU, because there is a pre-defined ACL to redirect control traffic to CPU and this ACL that takes precedence over the user-configured ACL. It is recommended to configure "no ip arp gratuitous hsrp duplicate" to suppress the un-necessary GARPs at each site in this design as well. Also note 4-way HSRP is only supported on the latest NX-OS versions, refer to CSCuy89705.

Another solution is to run FabricPath DCI with Anycast HSRP which will allow all 5600s to act as an active default gateway, refer to page 22 of the Cisco FabricPath Best Practices.

- Tyler Jeffords

View solution in original post

1 Reply 1

Go to solution
Tyler Jeffords
Cisco Employee
Cisco Employee

‎10-20-2016 02:55 AM

If you need FHRP isolation between the sites, this can be achieved by configuring HSRP authentication at one site therefore stopping the HSRP hellos between the sites from being processed and allowing each site to act in Active/Standby state. Due to the HW architecture on the Nexus 5600, control plane multicast packets are punted to the CPU ignoring any PACL or MAC-ACL. So with a PACL, you will not be able to filter HSRP Hellos, ARP, BPDUs, etc. which need to go to the CPU, because there is a pre-defined ACL to redirect control traffic to CPU and this ACL that takes precedence over the user-configured ACL. It is recommended to configure "no ip arp gratuitous hsrp duplicate" to suppress the un-necessary GARPs at each site in this design as well. Also note 4-way HSRP is only supported on the latest NX-OS versions, refer to CSCuy89705.

Another solution is to run FabricPath DCI with Anycast HSRP which will allow all 5600s to act as an active default gateway, refer to page 22 of the Cisco FabricPath Best Practices.

- Tyler Jeffords

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents