Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
418
Views
0
Helpful
2
Replies

Query about HSRP, vPC and dual DC's

aacole
Level 5
Level 5

‎08-15-2013 01:35 AM - edited ‎03-07-2019 02:56 PM

I have a situation with 2 seperate DC's that are to be interconnected via OTV to form a resilient pair supporting vmotion between DC's, DC-A and DC-B. Each DC has a pair of Nexus 7K's.

In this requirement I need HSRP in a particular vlan on DC-A to move to DC-B following a WAN failure in DC-A. So I plan to use HSRP with object tracking to monitor a WAN interface in DC-A to decrement the priority values in DC-A to become lower than those in DC-B when the tracked interface goes down. So far so good.

But, I now find that VPC is also used in both DC;s forwarding the server vlans, within each DC, not between the two. I know that VPC will forward traffic destined to an HSRP address regardless of the state of the HSRP priority.

My concern is that following a WAN failure in DC-A, HSRP priority moves to DC-B, but vPC in DC-A will still forward traffic, as it ignores the HSRP priority. I've seen this in DC's with a pair of  Nexus chassis, with 2 interfaces in the HSRP group.

I've never seen this in a dual DC set up with 4 interfaces in an HSRP group, is the HSRP/VPC interaction still the same?

I know about filtering the HSRP messages across the OTV, but this isnt appropriate in this situation, I cannot have servers in a particular vlan active on both sites due to liberal use of stateful firewalls, it has to be one or the other.                

Labels:
0 Helpful
2 Replies 2

Lei Tian
Cisco Employee
Cisco Employee

‎08-15-2013 04:26 AM

Hi,

When HSRP active moved to DC-B, the vPC pair in DC-A will no longer own the HSRP virtual MAC. It will forward through OTV link and route out from DC-B.

So, looks like there is WAN link and OTV link in each DC. Why cannot route through OTV link when WAN link fail in DC-A?

HTH,

Lei Tian

0 Helpful

aacole
Level 5
Level 5
In response to Lei Tian

‎08-15-2013 06:34 AM

Hi Lei,

Thanks for info, I will try and test this if I get an oppotunity.

Its an existing pair of seperate DC's that are to be made into a resilient pair. They already use NAT on outbound services, and stateful firewalls, so the egress and ingress traffic has to use the same WAN link, we need to avoid any asymetric paths. Not ideal, we wouldnt do it this way if it we were building a total new solution.

Makes life interesting though!

Regards,

Andy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card