Active/Active VRRP with Mlag

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
I have two BD 8810's. I have mlag and vrrp working well. It is currently in the standard active/backup. I have all my vlans on vrid 1 and the Virtual IP and the master are Core 1. We set the VIP to the IP of Core 1. My question is to get Active/Active what do I need to change?

Do I need to join all of the vlans to a vrid 2 and set the master and VIP on Core two then apply the ACL from the concepts guide?

Any help would be great. If you need more info let me know thanks.
Photo of Jon Haas

Jon Haas

  • 90 Points 75 badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
You have to configure the virtual IP address to be a different address from either of the MLAG peer interface addresses. 

Lets say Core 1 & Core 2 has physical IP address 10.0.0.2 and 10.0.0.3 respectively then you have to configure VIP address as 10.0.0.1 on both core 1 and core 2 switch and apply the policy on both core's ISC port

entry vrrp-act { if match all { 
destination-address 224.0.0.18/32 ; 
} then { 
deny ; 

}

Please have latest software on both the core.
Photo of Sathish Arul

Sathish Arul, Alum

  • 420 Points 250 badge 2x thumb
edit policy vrrp-hello-block
entry vrrp-block { if match all {
destination-address 224.0.0.18/32 ;
} then {
deny ;
}
}
config access-list vrrp-hello-block port x,y,z ingress

This policy should be applied in all ports - ports between core & downlink to Access Switches - where the access switches are connected dual home to both cores.
Photo of Sumit Tokle

Sumit Tokle, Alum

  • 5,738 Points 5k badge 2x thumb
My understanding would say, If we apply this policy only on ISC port then also it would be fine. As  access switch will not send the vrrp hello packets from core 1 to core 2 or vice versa, according to access switch it is only one virtual bundle(sharing).
Photo of Sathish Arul

Sathish Arul, Alum

  • 420 Points 250 badge 2x thumb

Yes, its correct - with LAG & EAPS design on Access switches VRRP hellos are not forwarded front & back, but its recommended as a best practice to keep the ACL on all ports to overcome some worst case scenario's.

Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
The truth lies somewhere in the middle...

If the only VRRP routers are the two neighbors forming the MLAG, then Sumit is right and the ACL should be applied only to the ISC ports.

But if there are other routers taking part of VRRP, other than the two neighbors forming the MLAG, then the ACL should be applied to any other ports that would let the hello packets reach these other VRRP members, as one of these might become Master and force the rest to standby.

Regards ,Daniel
Photo of Jon Haas

Jon Haas

  • 90 Points 75 badge 2x thumb
Thanks Guys. I will try this out today and let you know the results
Photo of Tamera Rousseau-Vesta

Tamera Rousseau-Vesta, Extreme Alumna

  • 2,760 Points 2k badge 2x thumb
Please feel free to update the community as to your results Jon!
Photo of Jon Haas

Jon Haas

  • 90 Points 75 badge 2x thumb
After a long day I was able to test this policy out and it works great. Thanks for all the help. 
Photo of Brian Boche

Brian Boche

  • 100 Points 100 badge 2x thumb
in regards to VRRP Active-active config, I am looking for configuration clarification.

In standard master/backup or active/standby VRRP config, the second post above is accurate.  I don't see a reply on how to make both active, is it just as simple as configuring both core's as master in the VRRP config and then simply applying the ACL between the VRRP peers on the ISC ports?

Thanks!
Photo of Ryan Mathews

Ryan Mathews, Alum

  • 8,988 Points 5k badge 2x thumb
Glad to see Mr. Boche joined the Hub.  Good stuff!
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Wow, Brian. After such a comment you will have to go to Community Interaction || Networking Neighbors and give us some information about yourself...
(Edited)
Photo of Ted

Ted

  • 1,174 Points 1k badge 2x thumb
We are moving from 15.3.1.4 patch 1-36 to 16.1.2.14 patch 1-1 and was wondering if the ACL - VRRP block is still a valid config?  I'm using Active/Active VRRP with MLAG currently and this isn't changing.  Just trying to get a feel for any new config changes.  I thought I heard of a change coming with the new this new image.

Thank you,
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Ted, nothing has changed in v16.1.

There's a new release train (v21.1) that includes new functionality that changes the way VRRP behaves (Fabric Routing), but that version train is only available on G2 switches.
Photo of Ted

Ted

  • 1,174 Points 1k badge 2x thumb
That might be what I read or heard of.  Thanks for clarifying and much appreciated.