Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

Silver

Query about HSRP, vPC and dual DC's

I have a situation with 2 seperate DC's that are to be interconnected via OTV to form a resilient pair supporting vmotion between DC's, DC-A and DC-B. Each DC has a pair of Nexus 7K's.

In this requirement I need HSRP in a particular vlan on DC-A to move to DC-B following a WAN failure in DC-A. So I plan to use HSRP with object tracking to monitor a WAN interface in DC-A to decrement the priority values in DC-A to become lower than those in DC-B when the tracked interface goes down. So far so good.

But, I now find that VPC is also used in both DC;s forwarding the server vlans, within each DC, not between the two. I know that VPC will forward traffic destined to an HSRP address regardless of the state of the HSRP priority.

My concern is that following a WAN failure in DC-A, HSRP priority moves to DC-B, but vPC in DC-A will still forward traffic, as it ignores the HSRP priority. I've seen this in DC's with a pair of  Nexus chassis, with 2 interfaces in the HSRP group.

I've never seen this in a dual DC set up with 4 interfaces in an HSRP group, is the HSRP/VPC interaction still the same?

I know about filtering the HSRP messages across the OTV, but this isnt appropriate in this situation, I cannot have servers in a particular vlan active on both sites due to liberal use of stateful firewalls, it has to be one or the other.                

2 REPLIES
Cisco Employee

Query about HSRP, vPC and dual DC's

Hi,

When HSRP active moved to DC-B, the vPC pair in DC-A will no longer own the HSRP virtual MAC. It will forward through OTV link and route out from DC-B.

So, looks like there is WAN link and OTV link in each DC. Why cannot route through OTV link when WAN link fail in DC-A?

HTH,

Lei Tian

Silver

Query about HSRP, vPC and dual DC's

Hi Lei,

Thanks for info, I will try and test this if I get an oppotunity.

Its an existing pair of seperate DC's that are to be made into a resilient pair. They already use NAT on outbound services, and stateful firewalls, so the egress and ingress traffic has to use the same WAN link, we need to avoid any asymetric paths. Not ideal, we wouldnt do it this way if it we were building a total new solution.

Makes life interesting though!

Regards,

Andy

245
Views
0
Helpful
2
Replies
CreatePlease to create content