- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: VRRP Isolation on 3 sites in a ring topology R...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2013 02:49 PM
03-28-2013 02:49 PM
Hi,
I have 3 DC (R1, R2 and R3) connected in a ring topology via RRPP.
To provide routing path optimization, I'd like the Data Centers to run separate sets of VRRP instance for vlan 2.
In my example, I want to configure VRRP isolation ACLs on the 3 DC.
Unfortunately, it failed with the error message:
%Mar 28 16:49:59:815 2013 DC-R2 ARP/5/ARP_DUPVRRPIP: -Chassis=2-Slot=2; IP address 10.2.100.1 conflicts with VRRP virtual IP address on interface Vlan-interface2, sourced from 0000-5e00-0102.
But it works perfectly if VRRP Isolation is applied on 2 DCs only.
Can VRRP Isolation work when configured on 3 sites in a ring topology?
If you have any idea...
Best regards,
Herve
-----------------------------------------------------------------------------------------------------------------
VLAN 2 belongs to the RRPP protected vlans.
DC-R1
interface Vlan-interface2
ip address 10.2.100.2 255.255.0.0
vrrp vrid 2 virtual-ip 10.2.100.1
DC-R2
interface Vlan-interface2
ip address 10.2.100.4 255.255.0.0
vrrp vrid 2 virtual-ip 10.2.100.1
DC-R3
interface Vlan-interface2
ip address 10.2.100.8 255.255.0.0
vrrp vrid 2 virtual-ip 10.2.100.1
On each DC, I've configured this ACL:
acl number 4001
description DENY VRRP
rule 0 deny type 0800 ffff dest-mac 0100-5e00-0012 ffff-ffff-ffff
rule 100 permit
I've applied this command on each interface connecting the ring:
packet-filter 4001 outbound
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2013 12:06 AM - edited 03-29-2013 12:09 AM
03-29-2013 12:06 AM - edited 03-29-2013 12:09 AM
Re: VRRP Isolation on 3 sites in a ring topology RRPP
Bonjour Herve,
It is simply hard to figure out what you are trying to achieve without a clear diagram a the full configuration of each device that makes part or the RRPP infrastructure.
Maybe you need to use/add a flow-template on the interface to define the source and destination MAC addresses as ethernet protocol to be used by the packet filter you applies to the interface.
Try to find out from system-view of the CLI if the command "flow-template" is available.
Also the packet you want to filter may require you to apply the filter in "inbound" direction.
Also, I am not sure you need the second rule in the ACL.
Thank you, and,
Kind Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2013 09:00 AM
03-29-2013 09:00 AM
Re: VRRP Isolation on 3 sites in a ring topology RRPP
Hi,
it seems that this is an ARP problem, not a VRRP hello problem (if the ACL would not work, you would not get VRRP master roles in each site, and the VRRP hello filtered mac is the mcast address (01...), while the actual vrrp router address is a unicast (00..) address, which is reported by the ARP DUPLICATE IP log message).
So you may need to find out if the gratuitous arp of the L3 vlan interface can be disabled maybe ?
I have only used this with 2 vrrp nodes, never with 3, so not sure what the exact difference causes this behavior.
Best regards,Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-30-2013 03:11 PM - edited 03-30-2013 03:13 PM
03-30-2013 03:11 PM - edited 03-30-2013 03:13 PM
Re: VRRP Isolation on 3 sites in a ring topology RRPP
Thanks for your answer.
Indeed, on 2 nodes, it works perfectly.
On the site R3, let's suppose I want to have RRP Isolation for vlan 2. Here're the steps and the logs:
[R3]int vlan 2
[R3-vlan-interface2]dis this
#
interface Vlan-interface2
ip address 10.2.100.8 255.255.255.0
#
return
[R3-vlan-interface2] vrrp vrid 2 virtual-ip 10.2.100.1 >>> (ACL and packet filter are already configured)
%May 1 16:29:35:512 2000 R3 VRRP/6/VRRP_STATUS_CHANGE: The status of IPv4 virtual router 2 (configured on Vlan-interface2) changed from Backup to Master: Timer expired.
[R3]dis vrrp
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 5
Interface VRID State Run Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
Vlan2 2 Master 100 1 None 10.2.100.1
...........etc..........
>>> OK. It became Master. The 3 nodes are Master for vlan 2.
Let's see on DC-R2 what's happening :
%Mar 30 23:27:29:699 2013 DC-R2 ARP/5/ARP_DUPVRRPIP: -Chassis=2-Slot=2; IP address 10.2.100.1 conflicts with VRRP virtual IP address on interface Vlan-interface2, sourced from 0000-5e00-0102.
I'll do some tests with ARP packets. It might be the solution ?
Herve
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2013 06:52 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2013 06:55 AM
04-02-2013 06:55 AM
Re: VRRP Isolation on 3 sites in a ring topology RRPP
Please loot at the attached txt files. They do not show the mstp, vlan, PCs ports, etc attributes. However, they give an approach to achieve what you are trying to configure.
Thanks and kind regards