I am currently conducting an operation laboratory for MLAG and VRRP, for which I have 3 x440-G2 switches all with firmware version 22.214.171.124 patch1-3. Having the following scheme:
All links are formed through LACP L2, I have the inconvenience that when I disable ports 1-2 of the LAG, both remain as an ACTIVE / ACTIVE role within the VRRP. According to what I understand multicast packages should be propagated through the MLAG ports (these being 3 and 4) to exchange the information of the roles.
Could you perhaps post the relevant snippets of your configuration?I’m assuming the port 1+2 LAG is an ISC-style share/vlan?For each switch, what are the “share” and “mlag” configs?For each switch which ports are in what vlan?My hunch is that there may be something in your config that isn’t quite how it’s supposed to be. I have pretty much the same setup, but I have to admit that I also never killed ports 1 and 2 both.
Usually the vrrp propagates itself via MC, there you are correct.Could you provide config snippets of Port/Vlan assignments and tagging/untagged as well as the VRRP and MLAG/ISC config snippets?Best regards
I enclose the configuration of all switches:
create vlan "Administracion"configure vlan Administracon tag 5create vlan "Data"configure vlan Data tag 20
enable sharing 3 grouping 3-4 algorithm address-based L2 lacp
configure vlan Administracon add ports 3 taggedconfigure vlan Administracon add ports 7 untagged (PORT USERS)configure vlan Data add ports 3 taggedconfigure vlan Data add ports 9 untagged (PORT USERS)
configure vlan Administracon ipaddress 10.16.46.10 255.255.255.0
create vlan "administracion"configure vlan administracion tag 5create vlan "control"configure vlan control tag 100create vlan "data"configure vlan data tag 20
enable sharing 1 grouping 1-2 algorithm address-based L2 lacpenable sharing 4 grouping 4 algorithm address-based L2 lacp
configure vlan administracion add ports 1,4 taggedconfigure vlan control add ports 1 taggedconfigure vlan data add ports 1,4 tagged
configure vlan data ipaddress 10.20.0.3 255.255.255.0enable ipforwarding vlan dataconfigure vlan administracion ipaddress 10.1.90.3 255.255.255.0enable ipforwarding vlan administracionconfigure vlan control ipaddress 126.96.36.199 255.255.255.252
create vrrp vlan data vrid 20configure vrrp vlan data vrid 20 preempt delay 3create vrrp vlan administracion vrid 6configure vrrp vlan administracion vrid 6 preempt delay 3configure vrrp vlan data vrid 20 add 10.20.0.1configure vrrp vlan administracion vrid 6 add 10.1.90.1enable vrrp vlan data vrid 20enable vrrp vlan voz vrid 5enable vrrp vlan administracion vrid 6
create mlag peer "CORE-1"configure mlag peer "CORE-1" ipaddress 188.8.131.52enable mlag port 4 peer "CORE-1" id 1
enable sharing 1 grouping 1-2 algorithm address-based L2 lacpenable sharing 3 grouping 3 algorithm address-based L2 lacp
configure vlan administracion add ports 1,3 taggedconfigure vlan control add ports 1 taggedconfigure vlan data add ports 1,3 tagged
configure vlan data ipaddress 10.20.0.2 255.255.255.0enable ipforwarding vlan dataconfigure vlan administracion ipaddress 10.1.90.2 255.255.255.0enable ipforwarding vlan administracionconfigure vlan control ipaddress 184.108.40.206 255.255.255.252
create vrrp vlan data vrid 20configure vrrp vlan data vrid 20 priority 200configure vrrp vlan data vrid 20 preempt delay 3create vrrp vlan administracion vrid 6configure vrrp vlan administracion vrid 6 priority 200configure vrrp vlan administracion vrid 6 preempt delay 3configure vrrp vlan data vrid 20 add 10.20.0.1configure vrrp vlan administracion vrid 6 add 10.1.90.1enable vrrp vlan data vrid 20enable vrrp vlan administracion vrid 6
create mlag peer "CORE-2"configure mlag peer "CORE-2" ipaddress 220.127.116.11enable mlag port 3 peer "CORE-2" id 1
this somehow looks like an issue “by software design”………………………..
Setup alike yours except that I changed the IP of the border device (same vlan Administr. but different subnet, hardly good to troubleshoot).
Now I deactivated the ISC and started to continously ping from 10.1.90.3 to the border 10.1.9.10 (incoming on port 4 of sharing 3).
But all the traffic back (echo/ping reply) goes up the port 3 of sharing 3 which then arrives at the 10.1.90.2 (getting deny/not-found packet back).
I also tested with different algorithms (l2,l3,l3-4) with lacp on and off on all sides. Please bear in mind that usually the “How to config” guides for MLAG and sharing are referring to the algorithm L3_L4 (LACP).Does not matter in this case.
As well as Backup-Master (Fabric-Routing) feature; Does not matter whether Off or On in this scenario.
The ARPs as well only get learned to the master port of the sharing on the border. Which is okay.
What is not okay is that those seem to always go out on the master sharing port first.
After a while of configuring working (ISC active…..) and mostly not-working conditions, my border device delivers this output. Just a hint; Look at the differene in Tx Pkt/Tx Byte of Port 3 and 4…..
show ports 3-4 statistics port-numberPort Statistics Thu Nov 14 08:12:54 2019Port Link Tx Pkt Tx Byte Rx Pkt Rx Byte Rx Pkt Rx Pkt Tx Pkt Tx Pkt State Count Count Count Count Bcast Mcast Bcast Mcast========= ===== =========== =========== =========== =========== =========== =========== =========== ===========3 A 2369 231446 7849 554744 31 7383 32 10544 A 166 33107 7896 557606 874 6959 0 102
show fdb ports 3-4MAC VLAN Name( Tag) Age Flags Port / Virtual Port List------------------------------------------------------------------------------------------------------00:00:5e:00:01:06 Administracion(0005) 0000 d mi 300:00:5e:00:01:14 Data(0020) 0016 d m 300:04:96:7e:26:36 Administracion(0005) 0000 d mi 300:04:96:7e:26:36 Data(0020) 0014 d m 300:04:96:7e:26:3f Administracion(0005) 0000 d mi 300:04:96:7e:26:3f Data(0020) 0011 d m 3
show iparpVR Destination Mac Age Static VLAN VID PortVR-Default 10.1.90.1 00:00:5e:00:01:06 0 NO Administracion 5 3VR-Default 10.1.90.2 00:04:96:7e:26:36 6 NO Administracion 5 3VR-Default 10.1.90.3 00:04:96:7e:26:3f 7 NO Administracion 5 3
debug hal show fdb
Hardware-learned entries:MAC VlanId Flags Port HIT TYPE===================================================00:04:96:7e:26:3f 5 00001021 3 TRUE L200:04:96:7e:26:3f 20 00001021 3 TRUE L200:04:96:7e:26:36 5 00001021 3 TRUE L200:04:96:7e:26:36 20 00001021 3 TRUE L200:00:5e:00:01:14 20 00001021 3 TRUE L200:00:5e:00:01:06 5 00001021 3 TRUE L2Software-learned for "e"-series In-use count: 1
Hardware-learned entries:MAC VlanId Flags Port HIT TYPE===================================================00:04:96:7e:26:3f 5 00001021 3 TRUE L200:04:96:7e:26:3f 20 00001021 3 TRUE L200:04:96:7e:26:36 5 00001021 3 TRUE L200:04:96:7e:26:36 20 00001021 3 TRUE L200:00:5e:00:01:14 20 00001021 3 TRUE L200:00:5e:00:01:06 5 00001021 3 TRUE L2Hardware-learned In-use count: 6Num of msgs from FDB : 351
Bearing the switches I only could use your configs for this setup:Cores: Summit x670v - V.18.104.22.168-patch1-3
Border: x440-G2 - V.22.214.171.124-patch1-11
I hope my little tests could provide you with any help, though I do not have a proper solution for you except: Do not on purpose turn off the entire ISC. Calculate with enough redundancy so you won’t have this issue by one or two link/cable failure. Sorry :-(
Could you keep us posted about progress, maybe even about any GTAC case you may open?
just a little addition. I have talked with a colleague of mine (plenty years of experience with EXOS switching).
This sure is a “working as designed” or “issue by design”.
If you do encounter this problem there are just three options:
So, I guess, opening a GTAC for this might get closed with “working as designed, ensure ISC functionality”.
I have decided to open a case with TAC for further review of the problem, for my laboratory I am considering that only the VRRP Master when with connections to other networks or is routing. Therefore, when I perform the test to deactivate the ISC ports (1-2), both remained as ACTIVE / ACTIVE but the traffic is being directed to the switch that previously had a role as BACKUP and the communication of all the network segments is lost. routed for the month.
Perform the tests to deactivate the MLAG ports (3,4) but the role is followed in both switches, this problem occurs only when the ISC port between the CORE switches is deactivated.
Contact Us:Sam PirokCommunity@extremenetworks.com