vPC with HSRP, VRRP

vPC with HSRP and VRRP

Last Updated: Sep 19, 2018 @ 1:21 am (UTC)

 

This article primarily refers to HSRP, but the concepts apply to VRRP as well.

Interaction

HSRP integrates well with vPC. In fact, HSRP with vPC is better than HSRP on its own. Be aware, though, that it does behave a little differently.

Traditional HSRP operates in an active/passive fashion. One router will pass traffic, and the other will not. The standby router will take over the active role during a failure. HSRP with vPC operates in both active/active and active/passive at the same time. How is this possible? The answer lies with the control and data planes.

The control plane refers to traffic that is sent to the Nexus switch. In the case of HSRP, this is ARP traffic. In control plane terms, HSRP with vPC is active/passive. This is because only the primary switch responds to ARP requests.

The data plane refers to traffic that the Nexus switch forwards. For example, traffic from one server to another. In data plane terms, HSRP with vPC is active/active. Both of the switches forward traffic.

Have a look at the MAC table. In a non-vPC deployment, the active HSRP router will have a G flag (Gateway) listed. When a vPC enabled Nexus uses HSRP, both sides get the flag, allowing both sides to forward traffic.

Non-vPC HSRP. Notice that the G flag is set for 0000.0c07.ac0a only on the active

 

Switch 1
Switch-1# show hsrp
Vlan10 - Group 10 (HSRP-V1) (IPv4)
  Local state is Active, priority 150 (Cfged 150)
    Forwarding threshold(for vPC), lower: 0 upper: 150
  Hellotime 1 sec, holdtime 3 sec
  Next hello sent in 0.924000 sec(s)
  Virtual IP address is 10.0.0.1 (Cfged)
  Active router is local
  Standby router is 10.0.0.30 , priority 130 expires in 2.356000 sec(s)
  Authentication text "cisco"
  Virtual mac address is 0000.0c07.ac0a (Default MAC)
  2 state changes, last state change 00:01:57
  IP redundancy name is hsrp-Vlan10-10 (default)



Switch-1# show mac address-table
Legend:
        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
        age - seconds since last seen,+ - primary entry using vPC Peer-Link,
        (T) - True, (F) - False, C - ControlPlane MAC
   VLAN     MAC Address      Type      age     Secure NTFY Ports
---------+-----------------+--------+---------+------+----+------------------
*   10     286f.7f7d.e447   dynamic  0         F      F    Eth1/1
G   10     0000.0c07.ac0a   static   -         F      F    sup-eth1(R)
G    -     286f.7f7d.e3f7   static   -         F      F    sup-eth1(R)
G   10     286f.7f7d.e3f7   static   -         F      F    sup-eth1(R)

vPC HSRP. Notice that the G flag is set for 0000.0c07.ac0a on both switches.

 

Switch 1
Switch-1# show hsrp
Vlan10 - Group 10 (HSRP-V1) (IPv4)
  Local state is Active, priority 150 (Cfged 150)
    Forwarding threshold(for vPC), lower: 0 upper: 150
  Hellotime 1 sec, holdtime 3 sec
  Next hello sent in 0.251000 sec(s)
  Virtual IP address is 10.0.0.1 (Cfged)
  Active router is local
  Standby router is 10.0.0.30 , priority 130 expires in 2.999000 sec(s)
  Authentication text "cisco"
  Virtual mac address is 0000.0c07.ac0a (Default MAC)
  2 state changes, last state change 00:00:15
  IP redundancy name is hsrp-Vlan10-10 (default)




Switch-1# show mac address-table
Legend:
        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
        age - seconds since last seen,+ - primary entry using vPC Peer-Link,
        (T) - True, (F) - False, C - ControlPlane MAC
   VLAN     MAC Address      Type      age     Secure NTFY Ports
---------+-----------------+--------+---------+------+----+------------------
G   10     0000.0c07.ac0a   static   -         F      F    sup-eth1(R)
G    -     286f.7f7d.e3f7   static   -         F      F    sup-eth1(R)
G   10     286f.7f7d.e3f7   static   -         F      F    sup-eth1(R)
*   10     286f.7f7d.e447   static   -         F      F    vPC Peer-Link(R)

HSRP Settings

Tuning

HSRP configuration is much simpler with vPC. As HSRP is active/active on the data plane, there isn’t much need to tune failover. Preemption and delays are not required. The vPC will forward traffic as soon as the links become available.

Cisco recommends configuring the HSRP with the default settings when using vPC. In a regular HSRP configuration, an admin will tune the timers to enable fast failover. vPC will handle the failover, so HSRP does not need to worry. There is also a downside to shortening HRP timers. If the HSRP timers are short, clients will make more ARP requests. This increases the load on the control plane.

Another recommendation is to make the vPC primary switch the HSRP active switch. This is not intended to improve performance or stability. It does make one switch responsible for the control plane traffic. This is a little easier on the administrator while troubleshooting.

While not directly HSRP related, remember to configure SVI’s as passive interfaces by default. This prevents IGP peering over every SVI. Choose a specific SVI for peering.

 

Object Tracking

Do not use HSRP object tracking with vPC. Depending on the network topology, link failures can cause HSRP to shut down interfaces. This can cause traffic forwarding across the peer-link, to get to an interface that is up.

The problem with this is that there is a vPC rule to prevent duplicate frames. A frame received on a vPC member port then sent over the peer-link, the peer will drop the frame.

In normal operation where all ports are up, a switch will deliver a frame to a vPC member itself. If it is forwarded over the peer-link, the peer switch will try to deliver it as well. The connected device will then receive the frame twice.

 

 


Peer-Gateway

Sometimes a client will not behave according to RFC defined parameters. For example, a device may send out an ARP request. When it receives the response, the payload contains the MAC is should use. In this case, it will be the HSRP virtual MAC address. The source MAC address of the packet will be the switch’s real MAC (the BIA MAC).

Some clients won’t follow the Ethernet specification. they will add the source MAC address (BIA)  of the frame to the MAC table. This can cause problems with vPC. Traffic may arrive on Switch A, with a destination MAC of Switch-B. To forward the frame, Switch-A would use the peer-link. Switch-B will then drop the packet, due to the vPC duplicate frame prevention rule.

Work around this by using the peer-gateway command. This enables the peers to exchange physical MAC information (BIA MAC). Now, Switch-A can process frames on Switch-B’s behalf, without needing to forward it.

 

 


Sample Configuration

In the configuration below, the timers are quite relaxed to ease the load on the control plane. The vPC primary switch has the higher priority, so it will handle the ARP requests. The priority is set higher than the default value of 100, so a rogue device will not cause the roles to change.

Preemption is not configured, as it is not required in a vPC environment. For the same reason, the delay and reload values are not changed. Changing to version 2 is optional (version 1 is default).

IP redirects are not disabled in the example below. The peer-gateway command will do this automatically. This is to avoid redirects for packets switched through the peer.

Switch 1
! This is the vPC primary

interface vlan50
  no shutdown
  ip address 10.0.0.20/24
  hsrp 50
    priority 150
    timers 1 3
    ip 10.0.0.1

 


References

Cisco – Cisco NX-OS Software Virtual PortChannel: Fundamental Concepts

Leave a Reply