N7010 6.2(6a) vrf-lite route-leaking hsrp vip cant ping from active hsrp nexus

charles.redan · ‎07-30-2014

Hi Mam/Sirs,

We are having problem with route-leaking hsrp virtual ip from our nexus 7010 here is our configuration. We need to ping inter-vrf the active hsrp virtual ip please see below, your comments are greatly appreciated:

route-map DATACENTER-GLOBAL permit 10

route-map DATACENTER-INTERNAL permit 10

vrf context DATACENTER-GLOBAL
rd 1:1
address-family ipv4 unicast
route-target import 3:3
route-target export 1:1
vrf context DATACENTER-INTERNAL
rd 3:3
address-family ipv4 unicast
route-target import 1:1
route-target export 3:3

router bgp 1

vrf DATACENTER-GLOBAL
address-family ipv4 unicast
redistribute direct route-map DATACENTER-GLOBAL
vrf DATACENTER-INTERNAL
address-family ipv4 unicast
redistribute direct route-map DATACENTER-INTERNAL

interface Vlan501
description {DATACENTER F5 Internal}
no shutdown
vrf member DATACENTER-INTERNAL
ip address 10.101.1.13/29
hsrp 105
preempt
ip 10.101.1.12

interface Vlan601
description {DATACENTER F5 GLOBAL}
no shutdown
vrf member DATACENTER-GLOBAL
ip address 10.101.1.2/29
ip router ospf 10 area 0.0.0.0
hsrp 106
preempt
ip 10.101.1.1

test failed:

as you see routes are imported via vrf-lite

Route Distinguisher: 1:1 (VRF DATACENTER-GLOBAL)
*>r10.101.1.0/29 0.0.0.0 0 100 32768 ?
*>r10.101.1.8/29 0.0.0.0 0 100 32768 ?

Route Distinguisher: 3:3 (VRF DATACENTER-INTERNAL)
*>r10.101.1.0/29 0.0.0.0 0 100 32768 ?
*>r10.101.1.8/29 0.0.0.0 0 100 32768 ?

But ping test are failing from vrf DATACENTER-GLOBAL to vlan 501 HSRP VIP & Physical (vrf DATACENTER-INTERNAL)

Mandaue-N7K-1-VDC3# ping 10.101.1.12 vrf DATACENTER-GLOBAL
PING 10.101.1.12 (10.101.1.12): 56 data bytes
Request 0 timed out
Request 1 timed out
Request 2 timed out
Request 3 timed out
Request 4 timed out

--- 10.101.1.12 ping statistics ---
5 packets transmitted, 0 packets received, 100.00% packet loss
Mandaue-N7K-1-VDC3# ping 10.101.1.13 vrf DATACENTER-GLOBAL
PING 10.101.1.13 (10.101.1.13): 56 data bytes
Request 0 timed out
Request 1 timed out
Request 2 timed out
Request 3 timed out
Request 4 timed out

but from active nexus hsrp 7010-1 if i ping the standby hsrp nexus 7010-2

Mandaue-N7K-1-VDC3# ping 10.101.1.14 vrf DATACENTER-GLOBAL
PING 10.101.1.14 (10.101.1.14): 56 data bytes
Request 0 timed out
64 bytes from 10.101.1.14: icmp_seq=1 ttl=254 time=1.389 ms
64 bytes from 10.101.1.14: icmp_seq=2 ttl=254 time=1.157 ms
64 bytes from 10.101.1.14: icmp_seq=3 ttl=254 time=1.199 ms
64 bytes from 10.101.1.14: icmp_seq=4 ttl=254 time=1.203 ms

--- 10.101.1.14 ping statistics ---
5 packets transmitted, 4 packets received, 20.00% packet loss
round-trip min/avg/max = 1.157/1.236/1.389 ms

:(

bill-armstrong · ‎09-22-2014

We're running 6.1(5) with a very similar config and are seeing the same thing.

Doing an ethanalyzer

ethanalyzer local interface inband capture-filter 'host 68.114.40.1'
Capturing on inband
2014-09-22 20:35:32.622720 00:00:0c:9f:f2:9a -> ff:ff:ff:ff:ff:ff ARP Gratuitous ARP for 68.114.40.1 (Request)
2014-09-22 20:35:34.849954 00:00:0c:9f:f2:9a -> ff:ff:ff:ff:ff:ff ARP Gratuitous ARP for 68.114.40.1 (Request)
2014-09-22 20:35:36.992414 00:00:0c:9f:f2:9a -> ff:ff:ff:ff:ff:ff ARP Gratuitous ARP for 68.114.40.1 (Request)
2014-09-22 20:35:39.179997 00:00:0c:9f:f2:9a -> ff:ff:ff:ff:ff:ff ARP Gratuitous ARP for 68.114.40.1 (Request)
2014-09-22 20:35:41.299952 00:00:0c:9f:f2:9a -> ff:ff:ff:ff:ff:ff ARP Gratuitous ARP for 68.114.40.1 (Request)

So the Nexus is GARP'ing but my suspicion is this is the result of the inter-vrf interfaces not sharing a layer 2 domain.

Vitor Mazali · ‎04-01-2016

Hi, I'm running 6.2, I've just configured this and faced the same problem. Has anyone solved it?

charles.redan · ‎04-21-2016

Hi Vitor, Had an answer with cisco tac as this feature is not fully supported on nexus our client decided not to use vrf lite on the nexus. instead just use another subinterface on the uplink using the bypass vrf to implement bypass (keep shut and just no shut and enable routing when needing to bypass the firewall)