vPC with HSRP and VRRP
Last Updated: [last-modified] (UTC)
This article primarily refers to HSRP, but the concepts apply to VRRP as well.
Interaction
HSRP integrates well with vPC. In fact, HSRP with vPC is better than HSRP on its own. Be aware, though, that it does behave a little differently.
Traditional HSRP operates in an active/passive fashion. One router will pass traffic, and the other will not. The standby router will take over the active role during a failure. HSRP with vPC operates in both active/active and active/passive at the same time. How is this possible? The answer lies with the control and data planes.
The control plane refers to traffic that is sent to the Nexus switch. In the case of HSRP, this is ARP traffic. In control plane terms, HSRP with vPC is active/passive. This is because only the primary switch responds to ARP requests.
The data plane refers to traffic that the Nexus switch forwards. For example, traffic from one server to another. In data plane terms, HSRP with vPC is active/active. Both of the switches forward traffic.
Have a look at the MAC table. In a non-vPC deployment, the active HSRP router will have a G flag (Gateway) listed. When a vPC enabled Nexus uses HSRP, both sides get the G flag, allowing both sides to forward traffic.
Non-vPC HSRP. Notice that the G flag is set for 0000.0c07.ac0a only on the active
Switch-1# show hsrp Vlan10 - Group 10 (HSRP-V1) (IPv4) Local state is Active, priority 150 (Cfged 150) Forwarding threshold(for vPC), lower: 0 upper: 150 Hellotime 1 sec, holdtime 3 sec Next hello sent in 0.924000 sec(s) Virtual IP address is 10.0.0.1 (Cfged) Active router is local Standby router is 10.0.0.30 , priority 130 expires in 2.356000 sec(s) Authentication text "cisco" Virtual mac address is 0000.0c07.ac0a (Default MAC) 2 state changes, last state change 00:01:57 IP redundancy name is hsrp-Vlan10-10 (default) Switch-1# show mac address-table Legend: * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC age - seconds since last seen,+ - primary entry using vPC Peer-Link, (T) - True, (F) - False, C - ControlPlane MAC VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+---------+------+----+------------------ * 10 286f.7f7d.e447 dynamic 0 F F Eth1/1 G 10 0000.0c07.ac0a static - F F sup-eth1(R) G - 286f.7f7d.e3f7 static - F F sup-eth1(R) G 10 286f.7f7d.e3f7 static - F F sup-eth1(R)
vPC HSRP. Notice that the G flag is set for 0000.0c07.ac0a on both switches.
Switch-1# show hsrp Vlan10 - Group 10 (HSRP-V1) (IPv4) Local state is Active, priority 150 (Cfged 150) Forwarding threshold(for vPC), lower: 0 upper: 150 Hellotime 1 sec, holdtime 3 sec Next hello sent in 0.251000 sec(s) Virtual IP address is 10.0.0.1 (Cfged) Active router is local Standby router is 10.0.0.30 , priority 130 expires in 2.999000 sec(s) Authentication text "cisco" Virtual mac address is 0000.0c07.ac0a (Default MAC) 2 state changes, last state change 00:00:15 IP redundancy name is hsrp-Vlan10-10 (default) Switch-1# show mac address-table Legend: * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC age - seconds since last seen,+ - primary entry using vPC Peer-Link, (T) - True, (F) - False, C - ControlPlane MAC VLAN MAC Address Type age Secure NTFY Ports ---------+-----------------+--------+---------+------+----+------------------ G 10 0000.0c07.ac0a static - F F sup-eth1(R) G - 286f.7f7d.e3f7 static - F F sup-eth1(R) G 10 286f.7f7d.e3f7 static - F F sup-eth1(R) * 10 286f.7f7d.e447 static - F F vPC Peer-Link(R)
HSRP Settings
Tuning
HSRP configuration is much simpler with vPC. As HSRP is active/active on the data plane, there isn’t much need to tune failover. Preemption and delays are not required. The vPC will forward traffic as soon as the links become available.
Cisco recommends configuring the HSRP with the default settings when using vPC. In a regular HSRP configuration, an admin will tune the timers to enable fast failover. vPC will handle the failover, so HSRP does not need to worry. There is also a downside to shortening HRP timers. If the HSRP timers are short, clients will make more ARP requests. This increases the load on the control plane.
Another recommendation is to make the vPC primary switch the HSRP active switch. This is not intended to improve performance or stability. It does make one switch responsible for the control plane traffic. This is a little easier on the administrator while troubleshooting.
While not directly HSRP related, remember to configure SVI’s as passive interfaces by default. This prevents IGP peering over every SVI. Choose a specific SVI for peering.
Object Tracking
Do not use HSRP object tracking with vPC. Depending on the network topology, link failures can cause HSRP to shut down interfaces. This can cause traffic forwarding across the peer-link, to get to an interface that is up.
The problem with this is that there is a vPC rule to prevent duplicate frames. A frame received on a vPC member port then sent over the peer-link, the peer will drop the frame.
In normal operation where all ports are up, a switch will deliver a frame to a vPC member itself. If it is forwarded over the peer-link, the peer switch will try to deliver it as well. The connected device will then receive the frame twice.
Peer-Gateway
Sometimes a client will not behave according to RFC defined parameters. For example, a device may send out an ARP request. When it receives the response, the payload contains the MAC is should use. In this case, it will be the HSRP virtual MAC address. The source MAC address of the packet will be the switch’s real MAC (the BIA MAC).
Some clients won’t follow the Ethernet specification. they will add the source MAC address (BIA) of the frame to the MAC table. This can cause problems with vPC. Traffic may arrive on Switch A, with a destination MAC of Switch-B. To forward the frame, Switch-A would use the peer-link. Switch-B will then drop the packet, due to the vPC duplicate frame prevention rule.
Work around this by using the peer-gateway command. This enables the peers to exchange physical MAC information (BIA MAC). Now, Switch-A can process frames on Switch-B’s behalf, without needing to forward it.
Sample Configuration
In the configuration below, the timers are quite relaxed to ease the load on the control plane. The vPC primary switch has the higher priority, so it will handle the ARP requests. The priority is set higher than the default value of 100, so a rogue device will not cause the roles to change.
Preemption is not configured, as it is not required in a vPC environment. For the same reason, the delay and reload values are not changed. Changing to version 2 is optional (version 1 is default).
IP redirects are not disabled in the example below. The peer-gateway command will do this automatically. This is to avoid redirects for packets switched through the peer.
! This is the vPC primary interface vlan50 no shutdown ip address 10.0.0.20/24 hsrp 50 priority 150 timers 1 3 ip 10.0.0.1
References
Cisco – Cisco NX-OS Software Virtual PortChannel: Fundamental Concepts
Hi,
In the Switch # 2 the priority needs to be higher or it can be the same?
Thank your !!!
The same is fine. The priority really only affects the control plane traffic. ARP for example.
The data plane traffic (that is, any traffic flowing through the switches) should use both the switches, regardless of HSRP priority.
Since I wrote this article, I have moved away from specifying the priority at all.
Hi
Could I use Hsrp with BGP from a 9300 stack to a pair of Nexus 5 k ?
or would i be better having 2 seperate L3 connections running iBGP.??
Thanks