Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

VRRP Isolation on 3 sites in a ring topology RRPP

SOLVED
Go to solution
Arthis
Occasional Advisor

VRRP Isolation on 3 sites in a ring topology RRPP

 

Hi,

 

I have 3 DC (R1, R2 and R3) connected in a ring topology via RRPP.

To provide routing path optimization, I'd like the Data Centers to run separate sets of VRRP instance for vlan 2.

 

In my example, I want to configure VRRP isolation ACLs on the 3 DC.

Unfortunately, it failed with the error message:

 

%Mar 28 16:49:59:815 2013 DC-R2 ARP/5/ARP_DUPVRRPIP: -Chassis=2-Slot=2; IP address 10.2.100.1 conflicts with VRRP virtual IP address on interface Vlan-interface2, sourced from 0000-5e00-0102.

 

But it works perfectly if VRRP Isolation is applied on 2 DCs only.

 

Can VRRP Isolation work when configured on 3 sites in a ring topology?

 

If you have any idea...

 

Best regards,

 

Herve

 

-----------------------------------------------------------------------------------------------------------------

 

VLAN 2 belongs to the RRPP protected vlans.

 

DC-R1

interface Vlan-interface2

ip address 10.2.100.2 255.255.0.0

vrrp vrid 2 virtual-ip 10.2.100.1

 

DC-R2

interface Vlan-interface2

ip address 10.2.100.4 255.255.0.0

vrrp vrid 2 virtual-ip 10.2.100.1

 

DC-R3

interface Vlan-interface2

ip address 10.2.100.8 255.255.0.0

vrrp vrid 2 virtual-ip 10.2.100.1

 

On each DC, I've configured this ACL:

acl number 4001

description DENY VRRP

rule 0 deny type 0800 ffff dest-mac 0100-5e00-0012 ffff-ffff-ffff

rule 100 permit

 

I've applied this command on each interface connecting the ring:

packet-filter 4001 outbound

5 REPLIES
3comold
Advisor

Re: VRRP Isolation on 3 sites in a ring topology RRPP

Bonjour Herve,

 

It is simply hard to figure out what you are trying to achieve without a clear diagram a the full configuration of each device that makes part or the RRPP infrastructure.

 

Maybe you need to use/add a flow-template on the interface to define the source and destination MAC addresses as ethernet protocol to be used by the packet filter you applies to the interface.

 

Try  to find out from system-view of the CLI if the command "flow-template" is available.

 

Also the packet you want to filter may require you to apply the filter in "inbound" direction.

 

Also, I am not sure you need the second rule in the ACL.

 

 

Thank you, and,

Kind Regards

Peter_Debruyne
Honored Contributor

Re: VRRP Isolation on 3 sites in a ring topology RRPP

Hi,

 

it seems that this is an ARP problem, not a VRRP hello problem (if the ACL would not work, you would not get VRRP master roles in each site, and the VRRP hello filtered mac is the mcast address (01...), while the actual vrrp router address is a unicast (00..) address, which is reported by the ARP DUPLICATE IP log message).

So you may need to find out if the gratuitous arp of the L3 vlan interface can be disabled maybe ?

 

I have only used this with 2 vrrp nodes, never with 3, so not sure what the exact difference causes this behavior.

 

Best regards,Peter

 

 

Arthis
Occasional Advisor

Re: VRRP Isolation on 3 sites in a ring topology RRPP

RRP_archi

 

Thanks for your answer.

 

Indeed, on 2 nodes, it works perfectly.

 

On the site R3, let's suppose I want to have RRP Isolation for vlan 2. Here're the steps and the logs:

 

 

[R3]int vlan 2
[R3-vlan-interface2]dis this
#
interface Vlan-interface2
 ip address 10.2.100.8 255.255.255.0
#
return
[R3-vlan-interface2] vrrp vrid 2 virtual-ip 10.2.100.1     >>>  (ACL and packet filter are already configured)

%May  1 16:29:35:512 2000 R3 VRRP/6/VRRP_STATUS_CHANGE: The status of IPv4 virtual router 2 (configured on Vlan-interface2) changed from Backup to Master: Timer expired.

 

[R3]dis vrrp
 IPv4 Standby Information:
     Run Mode       : Standard
     Run Method     : Virtual MAC
 Total number of virtual routers : 5
 Interface          VRID   State       Run     Adver   Auth     Virtual
                                       Pri     Timer   Type        IP
 ---------------------------------------------------------------------
 Vlan2              2      Master      100     1       None     10.2.100.1

...........etc..........

 

>>> OK. It became Master.  The 3 nodes are Master for vlan 2.

 

 

Let's see on  DC-R2 what's happening :

 

%Mar 30 23:27:29:699 2013 DC-R2 ARP/5/ARP_DUPVRRPIP: -Chassis=2-Slot=2; IP address 10.2.100.1 conflicts with VRRP virtual IP address on interface Vlan-interface2, sourced from 0000-5e00-0102.

 

 

I'll do some tests with ARP packets. It might be the solution ?

 

 

Herve

 

3comold
Advisor
Solution

Re: VRRP Isolation on 3 sites in a ring topology RRPP

rrpp capture.PNGrrpp capture 2.PNGrrpp capture 3.PNG

3comold
Advisor

Re: VRRP Isolation on 3 sites in a ring topology RRPP

Bonjour Herve,

Please loot at the attached txt files. They do not show the mstp, vlan, PCs ports, etc attributes. However, they give an approach to achieve what you are trying to configure.

Thanks and kind regards