Does mulitple HSRP groups and EIGRP cause asymmetric routing?

Answered Question
May 6th, 2009

Hi I am looking to migrate our inter VLAN routing off our WAN router onto our L3 core switches (collapsed core)

We have 2 core switches, and would be looking to load balance using MST/HSRP groups for each VLAN.

The design would be a 2 Core switches with 1 upstream router (eventually 2 upstream routers but that's at lease 6 months away)

I have a question based on the below in regards to asymmetric routing.

#CSW01

int vlan 55

desc outside routing

ip address 10.254.1.3 255.255.255.248

!

int vlan 40

ip address 10.6.1.3 255.255.255.0

standby 1 ip 10.4.1.1

standby 1 priority 150

standby 1 preempt

!

int vlan 60

ip address 10.6.1.3 255.255.255.0

standby 1 ip 10.6.1.1

standby 1 priority 100

standby 1 preempt

!

router eigrp 1

network 10.6.1.0

network 10.4.1.0

network 10.254.1.0

no auto

!

#CSW02

int vlan 55

desc outside routing

ip address 10.254.1.4 255.255.255.248

!

int vlan 40

ip address 10.6.4.4 255.255.255.0

standby 1 ip 10.4.1.1

standby 1 priority 100

standby 1 preempt

!

int vlan 60

ip address 10.6.1.4 255.255.255.0

standby 1 ip 10.6.1.1

standby 1 priority 150

standby 1 preempt

!

router eigrp 1

network 10.6.1.0

network 10.4.1.0

network 10.254.1.0

no auto

!

Based on this type of configuration does the multiple group HSRP and EIGRP cause an asymmetric routing issue where incoming traffic is directed to say VLAN4 may go through CSW01 but all the client traffic will return through CSW02 (the active HSRP router), thus creating an asymmetric routing issue? How do people overcome this issue?

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 8 months ago

Hello Vaughan,

if no firewalls are on the path between the two L3 switches and the edge router asymmetric routing is not an issue.

Edit:

by the way even if HSRP active router and STP root bridge mismatch this is not dramatic in a campus environment.

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Paolo Bevilacqua Wed, 05/06/2009 - 19:11

In a campus environment you need not to worry about asymmetric routing as long you do not have congestion somewhere (should never happen).

Anyway you should examine each node about the asymmetric decision and correct it as necessary.

vaughancahill Wed, 05/06/2009 - 19:22

But won't this cause issues for applications that require stateful flows or our servers sitting in our DMZ sitting behind stateful ASA's? that our internal devices access?

Or is this mitigated because of the fact that the layer 2 source address is the same 0000.0c07.ac01 regardless of which CSW the traffic is traversing so the asymmetric traffic is not an issue as apposed to when it may pass through 2 seperate devices that would have different source mac address?

Sorry does this make scence?

Joseph W. Doherty Thu, 05/07/2009 - 03:55

From a pure IP perspective, there nothing truely wrong with asymmetric routing. Where it becomes an issue is when "somthing", besides the end hosts, "needs" to see a flow's in and out packets.

If you need to insure symmetric routing, yet have redundancy, you work to insure some/all flows follow the same path.

For instance, you have a potential unicast flooding issue on your two 6500s. Suppose traffic between VLANs 40 and 60. VLAN 40 packet goes to CSW01 where it's routed to VLAN 60. Return packet goes to CSW02 where it's routed to VLAN40. If your L2 topology is such that both CSW01 and CSW02 haven't seen routed destination MACs sourced on the other VLAN, they would L2 unicast flood.

vaughancahill Thu, 05/07/2009 - 04:38

Hi Joseph,

This clears things up a bit more, I can see the potential for the unicast flooding.

I believe that if I have each CSW both active HSRP group and SPT bridge for that VLAN, that I would avoid this issue because traffic would have to traverse the L2 link between the CSWs to each VLAN because SPT would be blocking the non active HSRP VLAN, and thus traffic would have to traverse the L2 so both CSWs would see either their respective HSRP client mac address via locally connected interfaces to downstream switches, and non active HSRP clients mac address over the trunk and then via the other CSW.

Thus my unicast flooding issue is reduced marginally? Please correct me if im wrong ;)

I was just curious to how people deal with these potential issues.

Thanks for your response and I have realised that I meant to post this to the LAN/Switching not WAN so thanks for you replies.

Joseph W. Doherty Thu, 05/07/2009 - 04:51

Yes, what STP is doing, with regard to your L2 topology, can help make or break the issue I described. If traffic flows through both core switches such that each knows where all the LAN hosts are, they won't flood. Of course, if traffic flows across both core switches, it negates the "advantage" of spreading the load with HSRP settings and likely will load up your core cross switch link. (Besides L2, insuring one switch was the primary for all gateways, would be another approach.)

"I was just curious to how people deal with these potential issues."

Well, do "what if", and consider the impact. Determine if asymetrically flows can be avoided, if necessary (if they will be a problem). For instance, you can adjust routing metrics to direct traffic to a particular path.

ex-engineer Thu, 05/07/2009 - 05:06

Hello, Joseph:

May I ask you explain this further? I'm confused by this statement.

"If your L2 topology is such that both CSW01 and CSW02 haven't seen routed destination MACs sourced on the other VLAN, they would L2 unicast flood."

Thanks

ex-engineer Thu, 05/07/2009 - 08:28

Thanks, Joseph. I read the scenario, but I must admit, I still have a question.

I dont understand why this behavior is specific to asymmetric routing.

Lets say host A and B use switch 1 as the primary router for their vlans, how will things be different?

Host A will PING host B. So, host A will ARP for its DG. When switch 1 gets the packet, it will ARP for host B. Host B will do the same as A...etc...I dont see how asymmetric routing is causing any issue.

HELP! :-)

Joseph W. Doherty Thu, 05/07/2009 - 11:59

It's not just the ARP cache, but the MAC table. On a single switch, assuming there's a two way traffic flow, the switch will continue to refresh its MAC table. On two different switches, both switches might not see all L2 packets. Remember, when you L3 hop, MAC changes.

You might need to walk though the references again, to understand the issue. (I recall first time I learned of unicast flooding, I had to take a couple of passes through the docs before I understood.)

Correct Answer
Giuseppe Larosa Thu, 05/07/2009 - 04:39

Hello Vaughan,

if no firewalls are on the path between the two L3 switches and the edge router asymmetric routing is not an issue.

Edit:

by the way even if HSRP active router and STP root bridge mismatch this is not dramatic in a campus environment.

Hope to help

Giuseppe

Actions

This Discussion