[c-nsp] Anycast and reflexive ACLs, broken MLS?

Bernhard Schmidt berni at birkenwald.de
Sun Apr 24 12:46:18 EDT 2005 

Hi,

I'm having some issues trying to develop an IP multicast setup for the
DNS resolvers on our campus. I've created a small testing setup with two
6509 Sup720A connected to each other with a Vlan on top of Ethernet. 

Router1 is running 12.2(18)SXD1, Router2 is running 12.2(18)SXD4. There
is OSPF running between them, the anycast IP is received from the
servers with RIP and redistributed into OSPF. 

On Router1 there is only one additional Vlan relevant to this problem,
there one instance of the anycast service is connected.
On Router2 I have three additional Vlans, two are client Vlans, one is
another server Vlan where the second instance of the service is
connected (well, it is not a Vlan but a routed interface, don't think
that makes any difference).

When both servers are running all clients send their queries to the
server at Router2, as expected. When I disable the instance at Router2
all queries are shifted towards the instance at Router1, that is
expected as well. But when I reenable the server at Router2, queries
from one client are shifted back immediately, while the queries of
another client stay at the other instance, although traceroute and ping
go to the expected (local) instance.

The only real difference between the two clients is that they are
connected to different Vlans, and the Vlan the non-switching client is
connected to is protected by reflexive ACLs. It looks like the MLS
"flow-cache" is not updated correctly when a switch of the best route
from OSPF to RIP occurs, while it gets updated when it is switched from
RIP to OSPF.

"sh mls ip | i <anycastip>" shows before the switchover (only the server
instance at Router1 is active:

XXX.YYY.15.142  10.156.33.53    udp :dns    :33107    Vl998 :0x80BFB
10.156.8.23     10.156.33.53    udp :dns    :32961    Vl998 :0x0

after the switchover there is an additional entry with the correct
egress interface (Gi2/6) for the working client (the one not protected
with reflexive ACLs), while the broken one still has only the old path.

XXX.YYY.15.142  10.156.33.53    udp :dns    :33107    Vl998 :0x80BFB
10.156.8.23     10.156.33.53    udp :dns    :32961    Gi2/6 :0x0
10.156.8.23     10.156.33.53    udp :dns    :32961    Vl998 :0x0

"sh ip route", "sh ip cef" and "sh mls cef" are updated immediately and
correct.

When the "broken" client does not do queries for some minutes or chooses
another source port the correct instance is used, but unfortunately that
is not something a well-used Linux workstation does :-\

Any ideas? 

Bernhard

More information about the cisco-nsp mailing list