Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

N7010 6.2(6a) vrf-lite route-leaking hsrp vip cant ping from active hsrp nexus

Hi Mam/Sirs,

 

We are having problem with route-leaking hsrp virtual ip from our nexus 7010 here is our configuration. We need to ping inter-vrf the active hsrp virtual ip please see below, your comments are greatly appreciated:

route-map DATACENTER-GLOBAL permit 10

route-map DATACENTER-INTERNAL permit 10

vrf context DATACENTER-GLOBAL
  rd 1:1
  address-family ipv4 unicast
    route-target import 3:3
    route-target export 1:1
vrf context DATACENTER-INTERNAL
  rd 3:3
  address-family ipv4 unicast
    route-target import 1:1
    route-target export 3:3

router bgp 1

  vrf DATACENTER-GLOBAL
    address-family ipv4 unicast
      redistribute direct route-map DATACENTER-GLOBAL
  vrf DATACENTER-INTERNAL
    address-family ipv4 unicast
      redistribute direct route-map DATACENTER-INTERNAL

interface Vlan501
  description {DATACENTER F5 Internal}
  no shutdown
  vrf member DATACENTER-INTERNAL
  ip address 10.101.1.13/29
  hsrp 105 
    preempt 
    ip 10.101.1.12

 

interface Vlan601
  description {DATACENTER F5 GLOBAL}
  no shutdown
  vrf member DATACENTER-GLOBAL
  ip address 10.101.1.2/29
  ip router ospf 10 area 0.0.0.0
  hsrp 106 
    preempt 
    ip 10.101.1.1

 

test failed:

 

as you see routes are imported via vrf-lite

Route Distinguisher: 1:1    (VRF DATACENTER-GLOBAL)
*>r10.101.1.0/29      0.0.0.0                  0        100      32768 ?
*>r10.101.1.8/29      0.0.0.0                  0        100      32768 ?
 

Route Distinguisher: 3:3    (VRF DATACENTER-INTERNAL)
*>r10.101.1.0/29      0.0.0.0                  0        100      32768 ?
*>r10.101.1.8/29      0.0.0.0                  0        100      32768 ?

But ping test are failing from vrf DATACENTER-GLOBAL to vlan 501 HSRP VIP & Physical (vrf DATACENTER-INTERNAL)

Mandaue-N7K-1-VDC3# ping 10.101.1.12 vrf DATACENTER-GLOBAL
PING 10.101.1.12 (10.101.1.12): 56 data bytes
Request 0 timed out
Request 1 timed out
Request 2 timed out
Request 3 timed out
Request 4 timed out

--- 10.101.1.12 ping statistics ---
5 packets transmitted, 0 packets received, 100.00% packet loss
Mandaue-N7K-1-VDC3# ping 10.101.1.13 vrf DATACENTER-GLOBAL
PING 10.101.1.13 (10.101.1.13): 56 data bytes
Request 0 timed out
Request 1 timed out
Request 2 timed out
Request 3 timed out
Request 4 timed out

but from active nexus hsrp 7010-1 if i ping the standby hsrp nexus 7010-2

Mandaue-N7K-1-VDC3# ping 10.101.1.14 vrf DATACENTER-GLOBAL
PING 10.101.1.14 (10.101.1.14): 56 data bytes
Request 0 timed out
64 bytes from 10.101.1.14: icmp_seq=1 ttl=254 time=1.389 ms
64 bytes from 10.101.1.14: icmp_seq=2 ttl=254 time=1.157 ms
64 bytes from 10.101.1.14: icmp_seq=3 ttl=254 time=1.199 ms
64 bytes from 10.101.1.14: icmp_seq=4 ttl=254 time=1.203 ms

--- 10.101.1.14 ping statistics ---
5 packets transmitted, 4 packets received, 20.00% packet loss
round-trip min/avg/max = 1.157/1.236/1.389 ms

 

 

 

:(

 

  • LAN Switching and Routing
Everyone's tags (1)
3 REPLIES
New Member

We're running 6.1(5) with a

We're running 6.1(5) with a very similar config and are seeing the same thing. 

Doing an ethanalyzer

ethanalyzer local interface inband capture-filter 'host 68.114.40.1'
Capturing on inband
2014-09-22 20:35:32.622720 00:00:0c:9f:f2:9a -> ff:ff:ff:ff:ff:ff ARP Gratuitous ARP for 68.114.40.1 (Request)
2014-09-22 20:35:34.849954 00:00:0c:9f:f2:9a -> ff:ff:ff:ff:ff:ff ARP Gratuitous ARP for 68.114.40.1 (Request)
2014-09-22 20:35:36.992414 00:00:0c:9f:f2:9a -> ff:ff:ff:ff:ff:ff ARP Gratuitous ARP for 68.114.40.1 (Request)
2014-09-22 20:35:39.179997 00:00:0c:9f:f2:9a -> ff:ff:ff:ff:ff:ff ARP Gratuitous ARP for 68.114.40.1 (Request)
2014-09-22 20:35:41.299952 00:00:0c:9f:f2:9a -> ff:ff:ff:ff:ff:ff ARP Gratuitous ARP for 68.114.40.1 (Request)

 

So the Nexus is GARP'ing but my suspicion is this is the result of the inter-vrf interfaces not sharing a layer 2 domain.

 

 

New Member

Hi, I'm running 6.2, I've

Hi, I'm running 6.2, I've just configured this and faced the same problem. Has anyone solved it?

New Member

Hi Vitor,

Hi Vitor, Had an answer with cisco tac as this feature is not fully supported on nexus our client decided not to use vrf lite on the nexus. instead just use another subinterface on the uplink using the bypass vrf to implement bypass (keep shut and just no shut and enable routing when needing to bypass the firewall)
202
Views
0
Helpful
3
Replies