cancel
Showing results for 
Search instead for 
Did you mean: 

MLAG ISC VRRP asymmetric routing possible

MLAG ISC VRRP asymmetric routing possible

Justin_Metts
New Contributor
We are having a problem with the ISC between two x460s. VRRP is configured as ACTIVE/STANDBY. Everything looked fine initially during our tests as we only used ICMP. I configured separate "external" switches with IPs I could ping to test MLAG fail over on access switches connected to the two x460 core switches. The test dropped pings as expected and VRRP transitioned properly on failover. MLAG worked as well going to the access switches. Now the problem. TCP and UDP traffic does not establish any kind of connection. We connected the 460s to the internet and were able to ping 8.8.8.8, but cannot telnet to 53 nor http ports. Needless to say, no internet. When I disconnect the ISC between the two 460's, internet works flawlessly. I have no idea why this is and have not opened a ticket yet. I was plugged into the active VRRP switch when I tested, so the traffic shouldn't have been affected by the ISC in the first place. VRRP is balanced on the switches, half ACTIVE and half STANDBY. I figure if I change the configuration to ACTIVE/ACTIVE, then the traffic would flow correctly. I have followed the Extreme guides to configure the ISC and MLAG as well. That is how the switches are configured. Link that is similar to ours. Instead of the server, we have access switches. https://d2r1vs3d9006ap.cloudfront.net/s3_images/1108985/RackMultipart20141015-13973-hmz4ni-L3MLAG.png?1413378047 This image showed the traffic flowing over the ISC and I would not think this would be an issue.
20 REPLIES 20

Justin_Metts
New Contributor
Going over the configuration in depth for posting here, I have found the issue. There is an ACL on the Public VLAN that does not allow the traffic. It allows ICMP, but not anything else. I would have bet money that I removed the ACL previously to assist in any troubleshooting for initial implementation, but apparently not. Sorry for wasting anyone's time.

Glad everything works now (or is underway). I'm also glad I'm not the only one who's done something like this before 😄

That was your "FW" 😉
Good you found the issue.

Justin_Metts
New Contributor
The top diagram is exactly how I have the switches configured now. Both cores have an additional switch stacked. The bottom of the diagram is showing how I think traffic should flow. Packet ingresses VLAN 20 on CORE 1 with destination 10.200.3.252, CORE 1 knows route to 10.200.3.252 is on VLAN 3, CORE 1 sends packet out VLAN 3, since it is directly connected to CORE 2 via layer 2 tagged across the ISC. CORE 2 receives packet on VLAN 3. CORE 2 sends packet to host on VLAN 3. The return path would be similar from PC2, but just the opposite way. The ARP table is correct since ICMP works and does not drop the first ping to fill the ARP entries.

474a258540cf4ec4a20fbe2c8bab19fa_RackMultipart20160113-972-79m4mx-CoreDiag_inline.jpg

GTM-P2G8KFN