05-06-2009 07:07 PM - edited 03-04-2019 04:40 AM
Hi I am looking to migrate our inter VLAN routing off our WAN router onto our L3 core switches (collapsed core)
We have 2 core switches, and would be looking to load balance using MST/HSRP groups for each VLAN.
The design would be a 2 Core switches with 1 upstream router (eventually 2 upstream routers but that's at lease 6 months away)
I have a question based on the below in regards to asymmetric routing.
#CSW01
int vlan 55
desc outside routing
ip address 10.254.1.3 255.255.255.248
!
int vlan 40
ip address 10.6.1.3 255.255.255.0
standby 1 ip 10.4.1.1
standby 1 priority 150
standby 1 preempt
!
int vlan 60
ip address 10.6.1.3 255.255.255.0
standby 1 ip 10.6.1.1
standby 1 priority 100
standby 1 preempt
!
router eigrp 1
network 10.6.1.0
network 10.4.1.0
network 10.254.1.0
no auto
!
#CSW02
int vlan 55
desc outside routing
ip address 10.254.1.4 255.255.255.248
!
int vlan 40
ip address 10.6.4.4 255.255.255.0
standby 1 ip 10.4.1.1
standby 1 priority 100
standby 1 preempt
!
int vlan 60
ip address 10.6.1.4 255.255.255.0
standby 1 ip 10.6.1.1
standby 1 priority 150
standby 1 preempt
!
router eigrp 1
network 10.6.1.0
network 10.4.1.0
network 10.254.1.0
no auto
!
Based on this type of configuration does the multiple group HSRP and EIGRP cause an asymmetric routing issue where incoming traffic is directed to say VLAN4 may go through CSW01 but all the client traffic will return through CSW02 (the active HSRP router), thus creating an asymmetric routing issue? How do people overcome this issue?
Solved! Go to Solution.
05-07-2009 04:39 AM
Hello Vaughan,
if no firewalls are on the path between the two L3 switches and the edge router asymmetric routing is not an issue.
Edit:
by the way even if HSRP active router and STP root bridge mismatch this is not dramatic in a campus environment.
Hope to help
Giuseppe
05-06-2009 07:11 PM
In a campus environment you need not to worry about asymmetric routing as long you do not have congestion somewhere (should never happen).
Anyway you should examine each node about the asymmetric decision and correct it as necessary.
05-06-2009 07:22 PM
But won't this cause issues for applications that require stateful flows or our servers sitting in our DMZ sitting behind stateful ASA's? that our internal devices access?
Or is this mitigated because of the fact that the layer 2 source address is the same 0000.0c07.ac01 regardless of which CSW the traffic is traversing so the asymmetric traffic is not an issue as apposed to when it may pass through 2 seperate devices that would have different source mac address?
Sorry does this make scence?
05-07-2009 03:55 AM
From a pure IP perspective, there nothing truely wrong with asymmetric routing. Where it becomes an issue is when "somthing", besides the end hosts, "needs" to see a flow's in and out packets.
If you need to insure symmetric routing, yet have redundancy, you work to insure some/all flows follow the same path.
For instance, you have a potential unicast flooding issue on your two 6500s. Suppose traffic between VLANs 40 and 60. VLAN 40 packet goes to CSW01 where it's routed to VLAN 60. Return packet goes to CSW02 where it's routed to VLAN40. If your L2 topology is such that both CSW01 and CSW02 haven't seen routed destination MACs sourced on the other VLAN, they would L2 unicast flood.
05-07-2009 04:38 AM
Hi Joseph,
This clears things up a bit more, I can see the potential for the unicast flooding.
I believe that if I have each CSW both active HSRP group and SPT bridge for that VLAN, that I would avoid this issue because traffic would have to traverse the L2 link between the CSWs to each VLAN because SPT would be blocking the non active HSRP VLAN, and thus traffic would have to traverse the L2 so both CSWs would see either their respective HSRP client mac address via locally connected interfaces to downstream switches, and non active HSRP clients mac address over the trunk and then via the other CSW.
Thus my unicast flooding issue is reduced marginally? Please correct me if im wrong ;)
I was just curious to how people deal with these potential issues.
Thanks for your response and I have realised that I meant to post this to the LAN/Switching not WAN so thanks for you replies.
05-07-2009 04:51 AM
Yes, what STP is doing, with regard to your L2 topology, can help make or break the issue I described. If traffic flows through both core switches such that each knows where all the LAN hosts are, they won't flood. Of course, if traffic flows across both core switches, it negates the "advantage" of spreading the load with HSRP settings and likely will load up your core cross switch link. (Besides L2, insuring one switch was the primary for all gateways, would be another approach.)
"I was just curious to how people deal with these potential issues."
Well, do "what if", and consider the impact. Determine if asymetrically flows can be avoided, if necessary (if they will be a problem). For instance, you can adjust routing metrics to direct traffic to a particular path.
05-07-2009 05:06 AM
Hello, Joseph:
May I ask you explain this further? I'm confused by this statement.
"If your L2 topology is such that both CSW01 and CSW02 haven't seen routed destination MACs sourced on the other VLAN, they would L2 unicast flood."
Thanks
05-07-2009 05:30 AM
05-07-2009 08:28 AM
Thanks, Joseph. I read the scenario, but I must admit, I still have a question.
I dont understand why this behavior is specific to asymmetric routing.
Lets say host A and B use switch 1 as the primary router for their vlans, how will things be different?
Host A will PING host B. So, host A will ARP for its DG. When switch 1 gets the packet, it will ARP for host B. Host B will do the same as A...etc...I dont see how asymmetric routing is causing any issue.
HELP! :-)
05-07-2009 11:59 AM
It's not just the ARP cache, but the MAC table. On a single switch, assuming there's a two way traffic flow, the switch will continue to refresh its MAC table. On two different switches, both switches might not see all L2 packets. Remember, when you L3 hop, MAC changes.
You might need to walk though the references again, to understand the issue. (I recall first time I learned of unicast flooding, I had to take a couple of passes through the docs before I understood.)
05-07-2009 04:39 AM
Hello Vaughan,
if no firewalls are on the path between the two L3 switches and the edge router asymmetric routing is not an issue.
Edit:
by the way even if HSRP active router and STP root bridge mismatch this is not dramatic in a campus environment.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide