Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1801
Views
0
Helpful
2
Replies

network setup confusion

Scott_O'Brien
Level 1
Level 1

‎06-13-2011 04:09 AM - edited ‎03-07-2019 12:46 AM

hey all,

so this may be a bit hard to explain but i will try,

so we have two sites one site is the master for vrrp and the other is the slave, recently we had an issue were all the external traffic on the slave side was being black holed ( master side was fine).we found out the course was that the default gateway on the slave was set to a firewall's physical ip and not the virtual ip and that firewall was down at the time. the master was set up correctly( poor managment i know but it has know been corrected).

what confused me is that should all the external traffic be sent from the slave to the master as the client sends its info to the mac address of the default gateway and that being the vrrp vertual mac address and thus for the master having control of it and forwarding the traffic

so my qustion is that shouldnt all the traffic been sent directly to the master as it had the vrrp address and then forwarded out from there?

Labels:
0 Helpful
2 Replies 2

Antonio Knox
Level 7
Level 7

‎06-13-2011 07:42 AM

VRRP is a layer 3 redundancy (first hop) protocol.  Default gateway of clients should be set to the ip address of the VRRP VIP for it to be of any use.  Where the VRRP MAC address is controlled is only significant to the routers participating in the protocol, in that the "slave" router picks up control of the VRRP VIP's MAC address when the master router fails.

If the master was up and configured correctly then it controlled the MAC address the whole time, but this does not matter if your hosts are (incorrectly) pointing their default gateway to the physical ip of the firewall and not the VRRP VIP.  In this situation, the clients are unaware of the VRRP configuration.  VRRP does not work in a way that it notifies clients that their default gateway is improperly configured, unfortunately.

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame

‎06-13-2011 08:20 AM

How was the connection from the switches towards the FWs?

If it was Layer2, you may look into the STP Root for the Vlan the FWs were connected to.

If the Slave switch was the STP root, all traffic will cross from the Master to Slave before reaching the FW.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card