Solved: Cico ACE blades Virtual MAC addresses on both pairs are same

robertsmith.netexpert · ‎06-03-2009

I am having 4 ace blades i.e two pairs of ACEs, both are running in high availability mode or fault tolerance mode. I've got shared-vlan-hostid set to different pools on both. However, it wasn't set initially, and the Admin context administrative alias IPs, as well as user contexts alias IPs, are still using the same Virtual MAC addresses on both pairs.

ACE pair 1: 00.0b.fc.fe.1b.01

ACE pair 2: 00.0b.fc.fe.1b.01

When I am rebooting, removing the alias and re-adding it, removing a context, nothing seems to prevent the MAC address collisions.

Version: system: Version A3(2.2) [build 3.0(0)A3(2.2) adbuild_20:56:50-2009/04/03_/a

uto/adbu-rel2/rel_a3_2_2_throttle/REL_3_0_0_A3_2_2]

As I am new to this can you please what I am missing?

ciscocsoc · ‎06-04-2009

Hi,

This is related to the way the ACE picks one of the 16 MAC-address pools (based on chassis id). This is explained in the ACE Routing and Bridging Configuration Guide Page 1-7+

"When contexts share a VLAN, the ACE assigns a different MAC address to the VLAN on each context. The MAC addresses reserved for shared VLANs are 0x001243dc6b00 to 0x001243dcaaff, inclusive. All ACE modules derive these addresses from a global pool of 16,000 MAC addresses. This pool is divided into 16 banks, each containing 1024 addresses. Each subnet can have 16 ACEs.

Each ACE supports 1024 shared VLANs, and uses only one bank of MAC addresses out of the pool. A shared MAC address is associated with a shared VLAN interface.

By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE modules in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank, which results in the use of the same MAC addresses. To avoid this conflict, you must configure the bank that the ACEs will use.

To configure a specific bank of MAC addresses for a local ACE or a peer ACE (in a redundant configuration), use the shared-vlan-hostid or the peer shared-vlan-hostid command, respectively, in configuration mode in the Admin context. The syntaxes of these commands are as follows:

shared-vlan-hostid number

peer shared-vlan-hostid number

The number argument indicates the bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to configure different bank numbers for multiple ACEs. For example, to configure bank 2 of MAC addresses for the local ACE and bank 3 for a peer ACE, enter:

host1/Admin(config)# shared-vlan-hostid 2

host1/Admin(config)# peer shared-vlan-hostid 3

To remove the configured bank of MAC addresses and allow the ACE to randomly select a bank, use the no shared-vlan-hostid command. For example, enter:

host1/Admin(config)# no shared-vlan-hostid

To remove the configured bank of MAC addresses from a peer ACE and allow it to randomly select a bank, use the no peer shared-vlan-hostid command. For example, enter:

host1/Admin(config)# no peer shared-vlan-hostid"

One consequence of this is that you can't have more than 16 ACE blades in one VLAN.

HTH

Cathy

View solution in original post

sachinga.hcl · ‎06-04-2009

Hi Smith,

One virtual MAC address (VMAC) is associated with each FT group. The format of the VMAC is: 00-0b-fc-fe-1b-groupID. Because a VMAC does not change upon a switchover, the client and server ARP tables does not require updating.

The ACE selects a VMAC from a pool of virtual MACs available to it.

You can specify the pool of MAC addresses that the local ACE and the peer ACE use by configuring the

shared-vlan-hostid command and the peer shared-vlan-hostid command, respectively.

To avoid MAC address conflicts, be sure that the two pools are different on the two ACEs.

Each peer uses a VMAC that is dependent on the FT group number. If you are using multiple ACEs in the same chassis, be careful when using the same FT groups in more than one module.

To display the VMAC for an FT group by entering the following command:

ACE_module5/Admin# show interface internal iftable vlan100

vlan100

--------

ifid: 6

Context: 0

ifIndex: 16777316

physid: 100

rmode: 0 (unknown)

iftype: 0 (vlan)

bvi_bgid: 0

MTU: 1500

MAC: 00:18:b9:a6:91:15

VMAC: 00:00:00:00:00:00 <------- Virtual MAC Address

Flags: 0x8a000800 (valid, down, admin-down, Non-redundant, tracked)

ACL In: 0

ACL Out: 0

Route ID: 0

FTgroupID: 0

Zone ID: 6

Sec Level: 0

L2 ACL: bpdu DENY, ipv6 DENY, mpls DENY, all DENY

LastChange: 0 (Thu Jan 1 00:00:00 1970)

iflookup index: 100

vlan-vmac index:0

Next Shared IF: 0

Lock: Unlocked, seq 5

Lock errors: 0

Unlock errors: 0

No. of times locked: 5

No. of times unlocked: 5

Current/last owner: 0x40a7fc

Check the FT group configuration on both devices. Make sure that both devices are associated with the same context. Enter the following command:

ACE_module5/Admin# show running-config ft

Also verify the FT peer status and configuration by entering the following command:

ACE_module5/Admin# show ft peer detail

Peer Id : 1

State : FSM_PEER_STATE_COMPATIBLE

Maintenance mode : MAINT_MODE_OFF

FT Vlan : 100

FT Vlan IF State : DOWN

My IP Addr : 10.1.1.1

Peer IP Addr : 10.1.1.2

Query Vlan : 110

Query Vlan IF State : DOWN

Peer Query IP Addr : 172.25.91.202

Heartbeat Interval : 300

Heartbeat Count : 20

Tx Packets : 318573

Tx Bytes : 66301061

Rx Packets : 318540

Rx Bytes : 66272840

Rx Error Bytes : 0

Tx Keepalive Packets : 318480

Rx Keepalive Packets : 318480

TL_CLOSE count : 0

FT_VLAN_DOWN count : 0

PEER_DOWN count : 0

SRG Compatibility : COMPATIBLE

License Compatibility : COMPATIBLE

FT Groups : 3

....contd 2

View solution in original post

sachinga.hcl · ‎06-04-2009

page 2...

Verify the FT group status and configuration by entering the following command:

ACE_module5/Admin# show ft group detail

FT Group : 1

No. of Contexts : 1

Configured Status : in-service

Maintenance mode : MAINT_MODE_OFF

My State : FSM_FT_STATE_ACTIVE

My Config Priority : 110

My Net Priority : 110

My Preempt : Enabled

Peer State : FSM_FT_STATE_STANDBY

Peer Config Priority : 100

Peer Net Priority : 100

Peer Preempt : Enabled

Peer Id : 1

Last State Change time : Thu Apr 2 00:00:00 2009

Running cfg sync enabled : Enabled

Running cfg sync status : Running configuration sync has completed

Startup cfg sync enabled : Enabled

Startup cfg sync status : Running configuration sync has completed

Bulk sync done for ARP: 0

Bulk sync done for LB: 0

Bulk sync done for ICM: 0

Kind regards,

Kindly Rate.

sachin garg

View solution in original post

ciscocsoc · ‎06-04-2009

Hi,

This is related to the way the ACE picks one of the 16 MAC-address pools (based on chassis id). This is explained in the ACE Routing and Bridging Configuration Guide Page 1-7+

"When contexts share a VLAN, the ACE assigns a different MAC address to the VLAN on each context. The MAC addresses reserved for shared VLANs are 0x001243dc6b00 to 0x001243dcaaff, inclusive. All ACE modules derive these addresses from a global pool of 16,000 MAC addresses. This pool is divided into 16 banks, each containing 1024 addresses. Each subnet can have 16 ACEs.

Each ACE supports 1024 shared VLANs, and uses only one bank of MAC addresses out of the pool. A shared MAC address is associated with a shared VLAN interface.

By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE modules in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank, which results in the use of the same MAC addresses. To avoid this conflict, you must configure the bank that the ACEs will use.

To configure a specific bank of MAC addresses for a local ACE or a peer ACE (in a redundant configuration), use the shared-vlan-hostid or the peer shared-vlan-hostid command, respectively, in configuration mode in the Admin context. The syntaxes of these commands are as follows:

shared-vlan-hostid number

peer shared-vlan-hostid number

The number argument indicates the bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to configure different bank numbers for multiple ACEs. For example, to configure bank 2 of MAC addresses for the local ACE and bank 3 for a peer ACE, enter:

host1/Admin(config)# shared-vlan-hostid 2

host1/Admin(config)# peer shared-vlan-hostid 3

To remove the configured bank of MAC addresses and allow the ACE to randomly select a bank, use the no shared-vlan-hostid command. For example, enter:

host1/Admin(config)# no shared-vlan-hostid

To remove the configured bank of MAC addresses from a peer ACE and allow it to randomly select a bank, use the no peer shared-vlan-hostid command. For example, enter:

host1/Admin(config)# no peer shared-vlan-hostid"

One consequence of this is that you can't have more than 16 ACE blades in one VLAN.

HTH

Cathy

sachinga.hcl · ‎06-04-2009

Hi Smith,

One virtual MAC address (VMAC) is associated with each FT group. The format of the VMAC is: 00-0b-fc-fe-1b-groupID. Because a VMAC does not change upon a switchover, the client and server ARP tables does not require updating.

The ACE selects a VMAC from a pool of virtual MACs available to it.

You can specify the pool of MAC addresses that the local ACE and the peer ACE use by configuring the

shared-vlan-hostid command and the peer shared-vlan-hostid command, respectively.

To avoid MAC address conflicts, be sure that the two pools are different on the two ACEs.

Each peer uses a VMAC that is dependent on the FT group number. If you are using multiple ACEs in the same chassis, be careful when using the same FT groups in more than one module.

To display the VMAC for an FT group by entering the following command:

ACE_module5/Admin# show interface internal iftable vlan100

vlan100

--------

ifid: 6

Context: 0

ifIndex: 16777316

physid: 100

rmode: 0 (unknown)

iftype: 0 (vlan)

bvi_bgid: 0

MTU: 1500

MAC: 00:18:b9:a6:91:15

VMAC: 00:00:00:00:00:00 <------- Virtual MAC Address

Flags: 0x8a000800 (valid, down, admin-down, Non-redundant, tracked)

ACL In: 0

ACL Out: 0

Route ID: 0

FTgroupID: 0

Zone ID: 6

Sec Level: 0

L2 ACL: bpdu DENY, ipv6 DENY, mpls DENY, all DENY

LastChange: 0 (Thu Jan 1 00:00:00 1970)

iflookup index: 100

vlan-vmac index:0

Next Shared IF: 0

Lock: Unlocked, seq 5

Lock errors: 0

Unlock errors: 0

No. of times locked: 5

No. of times unlocked: 5

Current/last owner: 0x40a7fc

Check the FT group configuration on both devices. Make sure that both devices are associated with the same context. Enter the following command:

ACE_module5/Admin# show running-config ft

Also verify the FT peer status and configuration by entering the following command:

ACE_module5/Admin# show ft peer detail

Peer Id : 1

State : FSM_PEER_STATE_COMPATIBLE

Maintenance mode : MAINT_MODE_OFF

FT Vlan : 100

FT Vlan IF State : DOWN

My IP Addr : 10.1.1.1

Peer IP Addr : 10.1.1.2

Query Vlan : 110

Query Vlan IF State : DOWN

Peer Query IP Addr : 172.25.91.202

Heartbeat Interval : 300

Heartbeat Count : 20

Tx Packets : 318573

Tx Bytes : 66301061

Rx Packets : 318540

Rx Bytes : 66272840

Rx Error Bytes : 0

Tx Keepalive Packets : 318480

Rx Keepalive Packets : 318480

TL_CLOSE count : 0

FT_VLAN_DOWN count : 0

PEER_DOWN count : 0

SRG Compatibility : COMPATIBLE

License Compatibility : COMPATIBLE

FT Groups : 3

....contd 2

sachinga.hcl · ‎06-04-2009

page 2...

Verify the FT group status and configuration by entering the following command:

ACE_module5/Admin# show ft group detail

FT Group : 1

No. of Contexts : 1

Configured Status : in-service

Maintenance mode : MAINT_MODE_OFF

My State : FSM_FT_STATE_ACTIVE

My Config Priority : 110

My Net Priority : 110

My Preempt : Enabled

Peer State : FSM_FT_STATE_STANDBY

Peer Config Priority : 100

Peer Net Priority : 100

Peer Preempt : Enabled

Peer Id : 1

Last State Change time : Thu Apr 2 00:00:00 2009

Running cfg sync enabled : Enabled

Running cfg sync status : Running configuration sync has completed

Startup cfg sync enabled : Enabled

Startup cfg sync status : Running configuration sync has completed

Bulk sync done for ARP: 0

Bulk sync done for LB: 0

Bulk sync done for ICM: 0

Kind regards,

Kindly Rate.

sachin garg

Gilles Dufour · ‎06-04-2009

the virtual mac is always 00.0b.fc.fe.1b.XX where XX if the FT group id.

So you have to use a different group id on each pair.

G.

robertsmith.netexpert · ‎06-04-2009

Hi Sachin,

Thanks for your detail answer.

As I learn from the cisco documentation was the 1K pool of MAC addresses gets used for VMACs.

BTW Thanks

RobertS