Active/Active VRRP with Mlag
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-26-2014 11:47 PM
I have two BD 8810's. I have mlag and vrrp working well. It is currently in the standard active/backup. I have all my vlans on vrid 1 and the Virtual IP and the master are Core 1. We set the VIP to the IP of Core 1. My question is to get Active/Active what do I need to change?
Do I need to join all of the vlans to a vrid 2 and set the master and VIP on Core two then apply the ACL from the concepts guide?
Any help would be great. If you need more info let me know thanks.
Do I need to join all of the vlans to a vrid 2 and set the master and VIP on Core two then apply the ACL from the concepts guide?
Any help would be great. If you need more info let me know thanks.
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-27-2014 10:03 AM
Yes, its correct - with LAG & EAPS design on Access switches VRRP hellos are not forwarded front & back, but its recommended as a best practice to keep the ACL on all ports to overcome some worst case scenario's.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-27-2014 09:44 AM
My understanding would say, If we apply this policy only on ISC port then also it would be fine. As access switch will not send the vrrp hello packets from core 1 to core 2 or vice versa, according to access switch it is only one virtual bundle(sharing).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-27-2014 07:31 AM
edit policy vrrp-hello-block
entry vrrp-block { if match all {
destination-address 224.0.0.18/32 ;
} then {
deny ;
}
}
config access-list vrrp-hello-block port x,y,z ingress
This policy should be applied in all ports - ports between core & downlink to Access Switches - where the access switches are connected dual home to both cores.
entry vrrp-block { if match all {
destination-address 224.0.0.18/32 ;
} then {
deny ;
}
}
config access-list vrrp-hello-block port x,y,z ingress
This policy should be applied in all ports - ports between core & downlink to Access Switches - where the access switches are connected dual home to both cores.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-27-2014 06:53 AM
You have to configure the virtual IP address to be a different address from either of the MLAG peer interface addresses.
Lets say Core 1 & Core 2 has physical IP address 10.0.0.2 and 10.0.0.3 respectively then you have to configure VIP address as 10.0.0.1 on both core 1 and core 2 switch and apply the policy on both core's ISC port
entry vrrp-act { if match all {
destination-address 224.0.0.18/32 ;
} then {
deny ;
}
}
Please have latest software on both the core.
Lets say Core 1 & Core 2 has physical IP address 10.0.0.2 and 10.0.0.3 respectively then you have to configure VIP address as 10.0.0.1 on both core 1 and core 2 switch and apply the policy on both core's ISC port
entry vrrp-act { if match all {
destination-address 224.0.0.18/32 ;
} then {
deny ;
}
}
Please have latest software on both the core.
