ASYMMETRIC ROUTING

Answered Question
Mar 19th, 2008

Interesting question:

Imagine 2 L3 switches, C1 and C2, in an HSRP group config.

C1 is the HSRP primary for all vlans because I need it that way. Cant have asymmetric routing. Why is not important now -- I just do.

Now, directly attached to C1 and C2 are NIC-teamed servers, each with ONE active NIC, but (here is the kicker) some of those active NICs face the HSRP secondary.

So, imagine I need to maintain symmetric routing and there is stateful traffic coming into a server from C1. Imagine the server is an LDAP server responding to an LDAP client.

If that LDAP server has its active NIC facing C2, it will have to forward its response to C2. The response, of course, will have the vMAC owned by C1 in its destination MAC header info, so C2 will forward it to C1.

Now, here is the question:

Will C2 re-write the source MAC address info before forwarding it to C1? If so, then is the symmetric routing requirement broken? I think the answer is yes to both questions. Yes, the MAC address will be re-written and yes, the symmetric routing requirement will be violated, since C1 will receive return traffic for a stateful connection on an interface OTHER than the one it is expecting to receive it on.

Any thoughts?

Thank you

Victor

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 10 months ago

Hi Victor

I think the key is that the traffic does not come back in on a different interface than the one it went out on or more specifically

it may go and back in on a different L2 interface but it is definitely going out and back in on the same L3 interface ie. the server vlan interface and since state is really tied to IP address/TCP flags then the statefulness is not broken.

If L2 interfaces could maintain state, and we would need to define state in this case because i'm not sure what it could be, then yes traffic would go out on the server port and back in on the L2 trunk port connecting C1 & C2.

Note i'm assuming a L2 trunk between C1 & C2 as i can't see how else it would work.

Edit - i'm also assuming the LDAP client is on a different subnet.

Edit again - sorry Victor !

C2 will not rewrite the destination mac-address because it does not route the packet to C1 so there is no mac-address rewrite, it simply switches it across the trunk.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 03/19/2008 - 13:41

Hi Victor

I think the key is that the traffic does not come back in on a different interface than the one it went out on or more specifically

it may go and back in on a different L2 interface but it is definitely going out and back in on the same L3 interface ie. the server vlan interface and since state is really tied to IP address/TCP flags then the statefulness is not broken.

If L2 interfaces could maintain state, and we would need to define state in this case because i'm not sure what it could be, then yes traffic would go out on the server port and back in on the L2 trunk port connecting C1 & C2.

Note i'm assuming a L2 trunk between C1 & C2 as i can't see how else it would work.

Edit - i'm also assuming the LDAP client is on a different subnet.

Edit again - sorry Victor !

C2 will not rewrite the destination mac-address because it does not route the packet to C1 so there is no mac-address rewrite, it simply switches it across the trunk.

HTH

Jon

lamav Wed, 03/19/2008 - 15:58

Jon:

A couple of things...

First, I made a mistake in my scenario. I said that C1 would forward the LDAP client's request directly to the real server, and then I said that the real server has its active NIC facing C2. Thats where I went wrong. C1 would forward the traffic to C2, not the server directly, precisely because of the fact that the active NIC faces C2, not C1. I was having an alzheimer's moment.

So, if the server's active NIC faces the HSRP secondary, it still wont be asymmetric routing because the traffic came from C2 to begin with.

The mistake I made was in saying that C1 will send the traffic directly to the server -- it wont. It will go through the L2 cross trunk to C2, and then to the server.

Second, it is good to discuss that particular point of forwarding theory in general regarding the re-write. I did think of what you said, but then I said to myself "why wouldnt C2 do a SOURCE MAC re-write? It is forwarding the L2 frame, so I would think it would have to rewrite the source MAC to match its outgoing interface."

And then the other part of me said (Im schizophrenic, I know -- LOL), "but maybe since the traffic is staying within the vlan, and C2 knows it has to forward only and not process the packet because its not the HSRP primary, that it MAY just forward and not do a source MAC re-write."

What do you think now that I told you what my self-talk was?

And you're right, the LDAP client is on a separate VLAN.

Victor

Jon Marshall Wed, 03/19/2008 - 16:03

"it wont. It will go through the L2 cross trunk to C2 and then to the server"

Yes good point and i missed that one too.

C2 will only do SOURCE MAC re-write if it is routing the traffic off that vlan in which case the source mac become the layer 3 interface that the traffic exits. Within the same vlan it just leaves the mac-addresses alone.

Must get busy in your head at times :-)

Jon

lamav Wed, 03/19/2008 - 16:07

LOL, OK, Jon. Awesome.

By the way, I added a footnote to my original post: the LDAP client IS on another vlan.

By the way, have you ever configured IOS-based SLB? If so, my understanding is that you CANNOT have asymmetric routing, so you CANNOT use GLBP is the redundant gateway protocol because GLBP uses asymmetric routing by design, since it allows any router within a group forward traffic -- somewhat unpredictably, too, I might add.

So, to me, HSRP should be configured, and the same switch (say, C1 from this example) must be the HSRP primary for ALL the vlans that need to communicate with the load balnced vlan.

Yes?

[EDIT] I say you cannot have asymmetric routing with SLB becuse it is stateful and expects to see the return traffic coming from a particular interface.

VL

Jon Marshall Wed, 03/19/2008 - 16:15

Victor

Never used SLB unfortunately, only load balancing modules on 6500 switches.

Unless SLB is stateful between the chassis, then i can see how asymmetric routing would be a problem. Not had huge amount of experience with GLBP to be honest although i understand the principle so think i may play with it in the lab.

Sorry i can't be more help on this one.

Jon

lamav Wed, 03/19/2008 - 16:30

Jon:

As always, thank you very much. I appreciate your time.

Unfortunately, I cant help but think that I upset someone on here or said something "wrong" because I noticed that all my questions go completely ignored by all those I used to communicate with daily...

Its happened 3 times in a row...

You're basically the only one who tries to help me when I need it...sigh...LOL c'est la vie, mon ami.

I may have to create a new username and disguise myself...will probably use some broken English in my posts to really throw them off. LOLOL

Victor

Jon Marshall Wed, 03/19/2008 - 16:39

Victor

No problem, any time.

I wouldn't take it personally at all. I saw your question on SLB yesterday but the problem was i have no real knowledge or experience with it so couldn't really add anything helpful.

And with your level of knowledge/experience your questions can be quite challenging. Hopefully you'll continue in the forums, wouldn't be the same without you :-)

Edit (yes again !) - thanks for the ratings, appreciate it.

Jon

lamav Wed, 03/19/2008 - 16:45

Thanks, Jon.

I hope you're right because, on a serious note, I would hate to have lost the expertise of some of the people on here as a resource for future reference.

You're more than welcome on the ratings. You more than deserve them. You've helped me out a lot.

Thanks

Victor

Actions

This Discussion