cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7831
Views
10
Helpful
9
Replies

Nexus 7000 - HSRP active standby issue

Thibault BRISSE
Level 1
Level 1

Hello,

I am working on two Nexus 7010 with 5.1.5 NX-OS version. I configure HSRP traditionnaly, Nexus 1 with a priority of 200 and Nexus 2 with a priority of 100 for all vlan.

When I change the priority of a vlan to 200 to 50 for example, Nexus 2 become active and Nexus 1 standby. The problem is that when I do a traceroute from a PC the packet take the Nexus 1 as defaut gateway all the time.....

For information I have a peer link between the 2 Nexus for vPC.

Do you have an idea ?

Thank you in advance.

Thibault

4 Accepted Solutions

Accepted Solutions

rsimoni
Cisco Employee
Cisco Employee

Hi Thibault,

are you aware of an important modification on NX-OS regarding HSRP?

On Nexus switches also the HSRP standby switch for a given vlan is able to L3 switch packets even if it receive them at L2. So instead of L2 switch them to the active router (which should be normally done through the VPC peer-link) it routes them directly.

So when you perform a traceroute it is also important to know the path the packets take at level 2.  Most likely Nexus 2 is active as far as HSRP but the traffic at L2 reaches Nexus 1 first which simply L3 switches it.

You can simply check the mac address of your HRSP group (the vmac) and you will see the 'G' flag on it, indicating the ability to L3 switch traffic destined to that address, also on the standby HSRP switch.

This is needed to avoid packets drop when traffic arriving from the vpc peer-link is destined to a VPC port which is also active on the switch which sent it to the peer-link in the first place.

Note that this behavior is not true for HRSP listening status.

regards,

Riccardo

View solution in original post

Hi Thibault,

yes. If at L2 traffic hits Nexus 2 first (or only in your scenario) it will be L3 switched (routed) by it as well. Hence on traceroute you will see Nexus 2 IP address as the traffic will not reach Nexus 1 at all.

regards,

Riccardo

View solution in original post

you are welcome.

would you mind marking the question as answered please?

riccardo

View solution in original post

9 Replies 9

rsimoni
Cisco Employee
Cisco Employee

Hi Thibault,

are you aware of an important modification on NX-OS regarding HSRP?

On Nexus switches also the HSRP standby switch for a given vlan is able to L3 switch packets even if it receive them at L2. So instead of L2 switch them to the active router (which should be normally done through the VPC peer-link) it routes them directly.

So when you perform a traceroute it is also important to know the path the packets take at level 2.  Most likely Nexus 2 is active as far as HSRP but the traffic at L2 reaches Nexus 1 first which simply L3 switches it.

You can simply check the mac address of your HRSP group (the vmac) and you will see the 'G' flag on it, indicating the ability to L3 switch traffic destined to that address, also on the standby HSRP switch.

This is needed to avoid packets drop when traffic arriving from the vpc peer-link is destined to a VPC port which is also active on the switch which sent it to the peer-link in the first place.

Note that this behavior is not true for HRSP listening status.

regards,

Riccardo

Hello Riccardo,

I aware about modification on NX-OS regarding HSRP. So if I have directly attached devices (single attachment) on Nexus 2 (standby) the traceroute result will be with Nexus 2 ip address all the time ?

Regards,

Thibault

Hi Thibault,

yes. If at L2 traffic hits Nexus 2 first (or only in your scenario) it will be L3 switched (routed) by it as well. Hence on traceroute you will see Nexus 2 IP address as the traffic will not reach Nexus 1 at all.

regards,

Riccardo

Ok thank you very much

Thibault

you are welcome.

would you mind marking the question as answered please?

riccardo

Hello,

Sorry but how can I mark the question as answered :-)

Thank you,

Thibault

Hi Thibault,

please check this out:

https://supportforums.cisco.com/community/help#discussions_correct

thanks,

Riccardo

And if servers or switches are singly attached (orphan ports) on  Nexus 1, can they ping Nexus 2 IP (in the same vlan than servers or  switches) via vPC peerlink ?

Thank you in advance.

Thibault

Hi Thibault,

yes they can as they will not fail the vpc check.

Riccardo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco