cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2584
Views
10
Helpful
18
Replies

WAN switches in HA setup issues

rabusiak
Level 1
Level 1

Hi
Need some help with HA setup of WAN switches. 
Problem is with CPE modems unable to exchange vrrp over my WAN switches. According to ISP support:
"In VRRP, usually there is the Master (primary) and backup (secondary). But from configuration status it looks like both of them assume the Master role. (This can be due to the CPEs not being able to see each other and each one is using the virtual MAC Address 0000.5e00.0102)". I've checked on my WAN switches and it looks like RSTP is blocking port on WAN2 which goes to WAN1.
Need advice on how to modify this setup. Should I perhaps add additional connections from both CPEs to WAN switches and between WAN switches and configure on corresponding ports new untagged vlan just for CPE's vrrp purposes? Or should I accept single point of failure and use just one WAN switch?

18 Replies 18

pieterh
VIP
VIP

even if the direct link between WAN1 and WAN2 has a blocked port, but VRRP packets are forwarded over the rest of your network your VRRP could come up, so there must be another reason why these packets do not arrive (ACL's maybe?)

one solution could be to modify spanning-tree priority on a  suitable switch such that the link between WAN1 or WAN2 is not blocked
but there are plenty other solutions to think of

No ACLs in my case.
Vrrp packets should be forwarded downstream through Meraki cluster up to core stack even if vlan1 is configured only on CPE modems and WAN switches? 

balaji.bandi
Hall of Fame
Hall of Fame

we understand the diagram - when both are active / active means, the VLAN you using for VRRP is not extended both the switches some how - that we can tell by looking at the diagram.

you need explain more information

what is the mean of 1 ? is this VLAN1 ?

what is each color represents RED. BLACK...ETC

what port blocking between WAN1 and WAN2 ?

As suggested one quick solution - STP priority or only allowed VLAN to build VRRP ?

If you using VLAN1 all over that is bad - so suggest moving to new VLAN (for security and other reasons).

Also bare in mind Merak MX controller always try to become Root bridge, so better change the priority there.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes, 1 means vlan1 and it's configured only on CPE modem and WAN switches and core stack.
Red line is currently working internet connection, blue is possible to achieve if I swap master role on Meraki, black is just a connection 201 is untagged management vlan201 for those WAN switches. Aruba Instant-On 1930's have only gui over web page...
What priority change you refer to? Should I try lower it on WAN2?
From Meraki docs: "The MX does not run STP in any capacity, and will not exchange BPDUs with other switches or participate in the root bridge election process. If the MX received BPDUs on the LAN, these BPDUs will be re-forwarded within the broadcast domain that they were received on"

apologies I was thinking of Meraki Switch.

in the path make sure only 1 device acts a root for STP,  so, for example, you looking CPE1 to be VRRP active, I expect WAN SW1 as root for the VLAN1

Again, this depends on your requirement, since you have  CORE stack ( that also can be root bridge for the VLAN)

what switches is this, can you able to share some more information and config of WAN and core switch

show commands of STP

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Don't have access to CPE modems but I know they are some Cisco devices and I get this config from ISP guys:

interface Vlan1
description - VRF zen-internet kundevendt
ip vrf forwarding zen-internet
ip address X.X.X.28 255.255.255.224
vrrp 2 ip X.X.X.1
vrrp 2 preempt delay minimum 180
vrrp 2 priority 90
vrrp 2 track 2 decrement 20

Then I have 2x Aruba Instant-ON 1930 as WAN switches, 2x Meraki MX105 warm spare and 3x WS-C3750X as core stack.
I would say core stack is root bridge for all vlans. What command outputs you would like to see?

1.png
this is Loop, 
you have stack Core and then you interconnnect the WAN SW, 
the path to Core is Root path 
the path of interconnect is Block of RSTP. 
so please confirm 
Core is Root bridge here ?
the WAN SW1 or WAN SW2 to Master MX or Slave MX is BLK ?

Just to be on same page - unfortunately I'm a "STP dummy" so I might be doing and/or saying something stupid

As far as I can verify core stack is root bridge. All ports from WAN switches going towards Meraki's are in state Designated/Forwarding. Only one port on WAN2 is in state Alternate/Blocking (the one connected to WAN1).
When I run "show spanning-tree blockedports" on core stack it shows me only 2 ports on all vlans (the ones which are doubling connections to Merakis (one on Master and one on Slave).

friend, 
first you mention you use RSTP, the RSTP will block or open all vlan in trunk. 
now the issue 
the WAN sw receive RSTP BPDU from two path via core and via other WAN SW, it block via oterh WAN SW and select path to Core to be it L2 path. 
that must be fine and work BUT 
you must sure that master/slave SW  and Core SW have VLAN1 active and allow in trunk. 
otherwise it will not work.


you must sure that master/slave SW  and Core SW have VLAN1 active and allow in trunk. 
otherwise it will not work.


Both WAN switches have vlan1 active, also core stack ports towards Merakis have it allowed in trunk... but looking now on ports config on core stack: 

interface GigabitEthernet2/0/3
description Meraki Master lan 5 trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 201
switchport trunk allowed vlan 1,90,201-204,208,400
switchport mode trunk
switchport block multicast

Isn't vrrp a multicast traffic and I have it blocked?

I think you get it. try no this command and check VRRP status. 

I tried removing this multicast block but still no luck

Occasionally, unknown unicast or multicast traffic is flooded to a switch port because a MAC address
has timed out or has not been learned by the switch. (This condition is especially undesirable for a private
VLAN isolated port.) To guarantee that no unicast and multicast traffic is flooded to the port, use the
switchport block unicast and switchport block multicast commands to enable flood blocking on the
switch.

Switch(config-if)# switchport block multicast = Blocks unknown multicast forwarding to the port.

You can try that, but below config looks different and its under VRF  ( we are still not clear about your whole config to be honest ) you need to post complete config - all device to understand the issue.

interface Vlan1
description - VRF zen-internet kundevendt
ip vrf forwarding zen-internet
ip address X.X.X.28 255.255.255.224
vrrp 2 ip X.X.X.1
vrrp 2 preempt delay minimum 180
vrrp 2 priority 90
vrrp 2 track 2 decrement 20

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Sorry there is no other way to grab wan switches config than to html and then to pdf. I attached also core stack dump. If you need some specific commands output just let me know. As for Meraki config there is no way to dump config at all (sic!) Should I put some screenshots or?

Review Cisco Networking for a $25 gift card