[c-nsp] Swap hsrp with vrrp in mixed physical/vmware environment?

Peter Rathlev peter at rathlev.dk
Fri Mar 22 03:55:34 EDT 2013 

On Thu, 2013-03-21 at 21:46 +0000, Nick Hilliard wrote:
> It would be really nice if cisco supported "ping a.b.c.d source a.b.c.X"
> where a.b.c.X was the virtual IP - it would solve a couple of problems
> including this one.  Unfortunately, they don't support it:
> 
> > % Invalid source address- IP address not on any of our up interfaces
> 
> sigh.

Though a rather cumbersome procedure, one can actually trick routers to
use the HSRP address via a dummy VRF. Many people probably know this
already, but for the record (here Sup720/SXI):

  interface Vlan70
   vrf forwarding test-vrf
   ip address 192.0.2.2 255.255.255.0
   standby 15 ip 192.0.2.1
  !

  Router(config)#vrf definition dummy
  Router(config-vrf)#rd 1:1
  Router(config-vrf)#addr ipv4
  Router(config-vrf-af)#interface Lo100
  Router(config-if)#vrf forwarding dummy
  Router(config-if)#ip address 192.0.2.1 255.255.255.255
  Router(config-if)#^C
  Router#

Picking a random end host that's pingable:

  Router#show ip arp vrf test-vrf | incl 192.0.2.113
  ...
  Internet  192.0.2.113             7   0200.babe.cafe  ARPA   Vlan70
  ...
  Router#ping vrf test-vrf 192.0.2.113 

  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.0.2.113, timeout is 2 seconds:
  !!!!!
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  Router#

Simply using the HSRP virtual address as source fails.

  Router#ping vrf test-vrf 192.0.2.113 source 192.0.2.1

  % Invalid source address- IP address not on any of our up interfaces
  Router#

But using the interface from the dummy VRF as a source interface works
and since the address actually exists in "test-vrf" the replies are
accepted:

  Router#ping vrf test-vrf 192.0.2.113 source Lo100     

  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.0.2.113, timeout is 2 seconds:
  Packet sent with a source address of 192.0.2.1 
  !!!!!
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
  Router#

Using an interface from a dummy VRF one can source traffic from
arbitrary addresses. It's convenient e.g. when testing IPsec tunnels
without access to hosts that are allowed in the crypto domain.

-- 
Peter

More information about the cisco-nsp mailing list