May
31
2016

Nexus HSRP/VRRP active/active with vPC

In the article vPC aka Virtual PortChannel, I explained how vPC works and the benefits that it gives. However, there is another important feature using HSRP/VRRP protocols in the context of vPC: the Layer2 dualactive peer devices.

What does it mean?
HSRP and VRRP operate in active-active mode from data plane standpoint, as opposed to classical active/standby implementation with STP based network. From a control plane standpoint, active-standby mode still applies for HSRP/VRRP in context of vPC.

A characteristic of the active HSRP/VRRP peer device is that it is the only one to respond to ARP requests for HSRP/VRRP VIP (Virtual IP). ARP response will contain the HSRP/VRRP vMAC which is the same on both vPC peer devices.
The standby HSRP/VRRP vPC peer device just relays the ARP request to active HSRP/VRRP peer device through vPC peer-link

Note: No additional configuration is required to enable active/active HSRP/VRRP.

Example:
Suppose to have 1 Nexus5K (Ciscozine-L2) conntected to 2 Nexus7K (Ciscozine-L3-PRI and Ciscozine-L3-BKP).

The Layer3 is defined on the Nexus pair (192.168.159.0/24) and the Active HSRP is Ciscozine-L3_PRI.

Nexus-HSRP-VRRP-active-active

Below the N7K HSRP configurations (the VPC configuration is omitted):

Ciscozine-L3-PRI

interface Vlan16
  no shutdown
  description TEST_HSRP
  vrf member ciscozine
  ip address 192.168.159.252/24
  hsrp 16 
    authentication text C1sc0zin3
    preempt delay minimum 300 
    priority 130
    ip 192.168.159.254 

Ciscozine-L3-BKP

interface Vlan16
  no shutdown
  description TEST_HSRP
  vrf member ciscozine
  ip address 192.168.159.253/24
  hsrp 16 
    authentication text C1sc0zin3
    preempt delay minimum 300 
    priority 110
    ip 192.168.159.254 

 

Show output

Ciscozine-L3-PRI# sh hsrp interface vlan 16
Vlan16 - Group 16 (HSRP-V1) (IPv4)
  Local state is Active, priority 130 (Cfged 130), may preempt
    Forwarding threshold(for vPC), lower: 1 upper: 130 
  Preemption Delay (Seconds) Minimum:300 
  Hellotime 3 sec, holdtime 10 sec
  Next hello sent in 1.226000 sec(s)
  Virtual IP address is 192.168.159.254 (Cfged)
  Active router is local
  Standby router is 192.168.159.253 , priority 110 expires in 4.297000 sec(s)
  Authentication text "C1sc0zin3"
  Virtual mac address is 0000.0c07.ac10 (Default MAC)
  3397 state changes, last state change 30w0d
  IP redundancy name is hsrp-Vlan16-16 (default)

Ciscozine-L3-PRI# 
Ciscozine-L3-BKP# sh hsrp interface vlan 16
Vlan16 - Group 16 (HSRP-V1) (IPv4)
  Local state is Standby, priority 110 (Cfged 110), may preempt
    Forwarding threshold(for vPC), lower: 1 upper: 110 
  Preemption Delay (Seconds) Minimum:300 
  Hellotime 250 msec, holdtime 750 msec
  Next hello sent in 0.179000 sec(s)
  Virtual IP address is 192.168.159.254 (Cfged)
  Active router is 192.168.159.252, priority 130 expires in 0.716000 sec(s)
  Standby router is local 
  Authentication text "C1sc0zin3"
  Virtual mac address is 0000.0c07.ac10 (Default MAC)
  7 state changes, last state change 30w0d
  IP redundancy name is hsrp-Vlan16-16 (default)

Ciscozine-L3-BKP# 

 

Suppose that a packet is sent from 192.168.159.100 to a server in the cloud. Two events can occur:

1. The packet reaches Ciscozine-L3-PRI (the active HSRP), than it is forwarded to the cloud.

Nexus-HSRP-VRRP-active-active-flow-1

Ciscozine-L3-PRI# show ip arp vrf ciscozine | i 192.168.159.254 
192.168.159.254    -      0000.0c07.ac10  Vlan16          
Ciscozine-L3-PRI#
Ciscozine-L3-PRI# show mac address-table address 0000.0c07.ac10
Legend: 
        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
        age - seconds since last seen,+ - primary entry using vPC Peer-Link
   VLAN     MAC Address      Type      age     Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
G 16       0000.0c07.ac10    static       -       F    F  sup-eth1(R)

Ciscozine-L3-PRI#

Note: the “0000.0c07.ac10” is the vlan16 virtual mac address.

 

2. The packet reaches Ciscozine-L3-BKP (the standby HSRP), than it is forwarded to the cloud! Why does the packet received by the Ciscozine-L3-BKP is sent to the cloud and not to the virtual-link?

This is implemented by imposing the G bit in the MAC address table (thanks to the vPC feature), that indicates that this traffic is meant to be routed. This is the reason why the HSRP with vPC works as active/active!

Nexus-HSRP-VRRP-active-active-flow-2

Ciscozine-L3-BKP# show ip arp vrf ciscozine | i 192.168.159.254
192.168.159.254 00:00:42  0000.0c07.ac10  Vlan16          
Ciscozine-L3-BKP# 
Ciscozine-L3-BKP# show mac address-table address 0000.0c07.ac10
Legend: 
        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
        age - seconds since last seen,+ - primary entry using vPC Peer-Link
   VLAN     MAC Address      Type      age     Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
G 16       0000.0c07.ac10    static       -       F    F  vPC Peer-Link(R)

Ciscozine-L3-BKP#

Note: The same behaviour occurs using VRRP.

References: http://www.cisco.com/…/vpc_best_practices_design_guide.pdf

Summary
Article Name
Nexus HSRP/VRRP active/active
Description
HSRP and VRRP operate in active-active mode from data plane standpoint, as opposed to classical active/standby implementation with STP based network. From a control plane standpoint, active-standby mode still applies for HSRP/VRRP in context of vPC.
Author