[c-nsp] 6509 vrrp issue
Jon Lewis
jlewis at lewis.org
Mon Jan 28 11:34:05 EST 2008
I had a strange issue crop up last week with vrrp. In the following
setup, all customer facing ports are L3 ports. The interconnect
between the 6509s is L2.
|------6509-1-----cust2
cust1---2900XL |
|------6509-2
Given the above setup, with the 6509s doing vrrp for cust1, and cust2
directly attached just to 6509-1, cust1 misconfigured their systems to use
6509-2's real IP rather than the vrrp virtual IP. 6509-1 was configured
(higher priority) to be the vrrp master.
This resulted in reachability issues between cust1 and cust2 reminiscent
of dcef bugs we used to run into on the 7500 platform. Certain cust2 IPs
could send packets to certain cust1 IPs, but replies wouldn't get back to
them. i.e. TCP connections couldn't be opened. I was able to verify that
for these failed connections, packets were getting to cust1 and cust1 was
replying. Other cust2 IPs were able to communicate with other cust1 IPs.
I fixed the problem by shutting cust1's interface on 6509-1.
I need to wait until we can break things again, and try monitoring
cust2's 6509-1 port to see if we're actually sending them the packets
they're 'not receiving'...but I don't see why we wouldn't be...but I also
don't see why their hosts wouldn't receive them if we were.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list