Solved: HSRP over VPC with subinterfaces

JanineZipfel2801 · ‎08-25-2020

Hi community,

I think I missed a configuration line for HSRP. The question is, how the multicast-packets of hsrp v2 are communicated if the hsrp members are configured within a physical subinterface.

Setup:

Fortigate500E Port9 =(like Portchanenl)= Fortigate500E Port10

| |

Eth3/48.27 Eth3/48.27

HSRP27 HSRP27

NX7010-1 -> VPC PEER LINK (with VLAN27) <- NX7010-2

Behavior:

Both Nexus N7K are in a VPC with each other, all vlans are allowed on PEER-Link. On both I have a Vlan20 interface configured with HSRP v2 Group 20. There the HSRP works, so the HSRP multicast-packets have to go over the PEER-Link, in VLAN20 I think. There is no other connection for Vlan 20.

Now I configured Subinterfaces of ETH3/48 with HSRP and a vlan encapsulation 27. But the mutlicast-packets were not received. So I think here is a missing command, that the HSRP for VLAN27 has to be announced over the VPC-PEER.

Could you help?

Configuration:

NX7010-1:

interface Ethernet3/48
description RT-IT-FW-4_CHK
no switchport
no shutdown

interface Ethernet3/48.27
description Transfer_RT-IT-FW-4
encapsulation dot1q 27
no ip redirects
ip address 10.4.5.2/24
ip pim sparse-mode
hsrp version 2
hsrp 27
authentication text DMZ27
preempt delay minimum 300
priority 105
ip 10.4.5.1
no shutdown

show hsrp group 27 brief

Interface Grp Prio P State Active addr Standby addr Group addr
Eth3/48.27 27 105 P Active local unknown 10.4.5.1

NX7010-2:

interface Ethernet3/48
description RT-IT-FW-4_CHK
no switchport
no shutdown

interface Ethernet3/48.27
description Transfer_RT-IT-FW-4
encapsulation dot1q 27
no ip redirects
ip address 10.4.5.3/24
ip pim sparse-mode
hsrp version 2
hsrp 27
authentication text DMZ27
preempt delay minimum 300
priority 95
ip 10.4.5.1
no shutdown

show hsrp group 27 brief
Interface Grp Prio P State Active addr Standby addr Group addr
Eth3/48.27 27 95 P Active local unknown 10.4.5.1

mlund · ‎08-25-2020

Hi

Making a port no switchport, will set that port to "routerport". You can, as You have done, then make subinterfaces. Each subinterface must have it's own encapsulation-number. What encapsulation have you configured for the subinterface ? The number of the subinterface (.27) in your example has nothing to do with vlan27. Whatever encapsulation you configure, it will not sent packet through the vpc link, it will only send packets out of the port. And that packet will be encapsulated with the dot1q tag you have configured. So for your hsrp to work it must be able to communicate with each other outside the nexus.

/Mikael

View solution in original post

JanineZipfel2801 · ‎08-25-2020

So I found a way that I can connect both physical port without an extra device. The both remote ports on the Fortigate can be connected as a switch, so the Fortigate can have a virtual port there do be addressed and the nexus-switches can see each other over the fortigate - hsrp is working.

Thank you for your help!

View solution in original post

balaji.bandi · ‎08-25-2020

yes VLAN 27 required to be allowed in vPC link to establish HSRP.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JanineZipfel2801 · ‎08-25-2020

It is allowed. So I wonder why they not get any answeres.

interface port-channel15
description VPC-PEER_to_SW-DC1-DMZ-1
switchport mode trunk
spanning-tree port type network
vpc peer-link

vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po15 up 1,15,20,27

balaji.bandi · ‎08-25-2020

is VLAN created both the side ?

can you post show spanning-tree for VLAN 27 ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JanineZipfel2801 · ‎08-25-2020

I think the VLAN is running correctly. Is there a debug command, where I can see packets within the VLAN27 on the Peer-Link?

NX7010-01:
vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po15 up 1,15,20,27
VLAN0027
Spanning tree enabled protocol rstp
Root ID Priority 32795
Address 0023.04ee.be0f
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32795 (priority 32768 sys-id-ext 27)
Address 0023.04ee.be0f
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po15 Root FWD 2 128.4110 (vPC peer-link) Network P2p

NX7010-2:
vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po15 up 1,15,20,27
VLAN0027
Spanning tree enabled protocol rstp
Root ID Priority 32795
Address 0023.04ee.be0f
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32795 (priority 32768 sys-id-ext 27)
Address 0023.04ee.be0f
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Po15 Desg FWD 2 128.4110 (vPC peer-link) Network P2p

balaji.bandi · ‎08-25-2020

I will start with Ping - is the ping working between the IP configured on VLAN 27

can you able to ping .2 to .3 ? (other test, are you able to ping locally - i have seen weird issue some time back, locally not able to ping some times, so i have to delete the interface and re-create to work).

remove authentication and check

Can you post below information : from both the devices ?

show run interface eth 3/48

show hsrp interface Ethernet3/48.27

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JanineZipfel2801 · ‎08-25-2020

I am not able to ping within Vlan 27, while VPC says VLAN is up. Well, I can route over VLAN20, so Vlan 27 is reachable, but for multicast addresses this doesn't work - besides this isn't a nice setup.
Also strange, the Fortigate only answeres one of the active ports - but I think this is a nother configuration missing on Forti and further the Forti should at least ping the hsrp address .1
During all the tests I deleted and reconfigured much times those interfaces. I also tried a Portchannel.subinterface. I have no ideas left, but I know it works, because in an other VDC the setup seems to be very similar and there the hsrp is working.

Pings:
ping 10.4.5.2 source 10.4.2.2 - N7K-1 Vlan 20 to N7K-1 Vlan 27: i.O.
ping 10.4.5.3 source 10.4.2.3 - N7K-2 Vlan 20 to N7K-2 Vlan 27: i.O.
ping 10.4.5.8 source 10.4.2.3 - N7K-2 Vlan 27 to Fortigate500 Vlan 27: i.O.
ping 10.4.5.8 source 10.4.2.2 - N7K-1 Vlan 27 to Fortigate500 Vlan 27: time out
ping 10.4.5.8 source 10.4.2.2 while shutdown 10.4.2.3 - N7K-1 Vlan 27 to Fortigate500 Vlan 27 (N7K-2 Vlan 27 shutdown): i.O.
ping 10.4.2.2 source 10.4.2.3 and other way round: time out

JanineZipfel2801 · ‎08-25-2020

N7K-1# show run interf eth3/48

interface Ethernet3/48
description RT-IT-FW-4_CHK
no switchport
no shutdown

N7K-1# show hsrp interface ethernet 3/48.27
Ethernet3/48.27 - Group 27 (HSRP-V2) (IPv4)
Local state is Active, priority 105 (Cfged 105), may preempt
Forwarding threshold(for vPC), lower: 1 upper: 105
Preemption Delay (Seconds) Minimum:300
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 2.527000 sec(s)
Virtual IP address is 10.4.5.1 (Cfged)
Active router is local
Standby router is unknown
Authentication text "DMZ27"
Virtual mac address is 0000.0c9f.f01b (Default MAC)
2 state changes, last state change 01:02:30
IP redundancy name is hsrp-Eth3/48.27-27 (default)

N7K-2# show run interf eth3/48
interface Ethernet3/48
description RT-IT-FW-4_CHK
no switchport
no shutdown

N7K-2# show hsrp group 27
Ethernet3/48.27 - Group 27 (HSRP-V2) (IPv4)
Local state is Active, priority 95 (Cfged 95), may preempt
Forwarding threshold(for vPC), lower: 1 upper: 95
Preemption Delay (Seconds) Minimum:300
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 0.855000 sec(s)
Virtual IP address is 10.4.5.1 (Cfged)
Active router is local
Standby router is unknown
Authentication text "DMZ27"
Virtual mac address is 0000.0c9f.f01b (Default MAC)
5 state changes, last state change 00:13:23
IP redundancy name is hsrp-Eth3/48.27-27 (default)

mlund · ‎08-25-2020

Hi

Making a port no switchport, will set that port to "routerport". You can, as You have done, then make subinterfaces. Each subinterface must have it's own encapsulation-number. What encapsulation have you configured for the subinterface ? The number of the subinterface (.27) in your example has nothing to do with vlan27. Whatever encapsulation you configure, it will not sent packet through the vpc link, it will only send packets out of the port. And that packet will be encapsulated with the dot1q tag you have configured. So for your hsrp to work it must be able to communicate with each other outside the nexus.

/Mikael

JanineZipfel2801 · ‎08-25-2020

As shown in one of the first posts I configured "encapsulation dot1q 27" on both interfaces. I was observing, that the firewall is getting VLAN encapsulated packets. So packets really leave the Nexus with flag Vlan 27. Because both subinterfaces are not able to ping each other, I wonder if they can reach each other over vlan 27 via VPC link.

With your last post you confirm that it is not possible that Subinterfaces can put their HSRP multicast traffic into the VPC link.

I hoped I can avoid any scripting/tracking if routes get disabled caused by a port down event. So I would like to have a Layer3 interface which go offline if the port goes down. Also it is the simplest way to configure the Fortigate, if there is only one address / virtual router.

On the other hand in the other VDC there is an almost similar setup, which is working with HSRP. This domain is a little bit more complicated so I cannot say that there aren't links that may transport the hsrp traffic besides the VPC PEER.

Is there a difference of hsrp behavior with portchannel subinterfaces instead of Ethernet subinterfaces?

balaji.bandi · ‎08-25-2020

Looks like some information we are missing here ?

Do you have any high level diagram ? where this port connected 3/48 ? 3/48 is connected to FW ?

As per my understand we are doing 2 different task here .

i

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JanineZipfel2801 · ‎08-25-2020

JanineZipfel2801 · ‎08-25-2020

So I found a way that I can connect both physical port without an extra device. The both remote ports on the Fortigate can be connected as a switch, so the Fortigate can have a virtual port there do be addressed and the nexus-switches can see each other over the fortigate - hsrp is working.

Thank you for your help!

balaji.bandi · ‎08-26-2020

thanks for th input and glad all working as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help