- Basics of vPC : Virtual Port Channel (vPC)- Part 1
- vPC Inconsistency and Control Plane: vPC – Part II
- vPC Failure Scenarios : vPC – Part III
- vPC with HSRP
- vPC Design Variations vPC Design Variations
Today our focus will on First Hop Redundancy Protocol (HSRP) and see how it behaves when configured in conjunction with vPC.
While writing this post, I am assuming that reader has a basic knowledge of HSRP and its functionality.
There are two versions of HSRP : v1 and v2. Differences between v1 and v2:
- Version 1 is the default version of HSRP and uses 220.127.116.11 multicast address to send hellos for peer discovery. Version 2 uses new IP multicast address 18.104.22.168 to send hello packets.
- In HSRP version 1, group numbers are restricted to the range from 0 to 255. HSRP version 2 expands the group number range from 0 to 4095
- HSRP version 2 provides improved management and troubleshooting. With HSRP version 1, you cannot use HSRP active hello messages to identify which physical device sent the message because the source MAC address is the HSRP virtual MAC address. The HSRP version 2 packet format includes a 6-byte identifier field that is used to uniquely identify the sender of the message. Typically, this field is populated with the interface MAC address.
- HSRP version 2 permits an expanded group number range, 0 to 4095, and consequently uses a new MAC address range 0000.0C9F.F000 to 0000.0C9F.FFFF.
- V1 only supports text authentication with cisco password. With v2, MD5 authentication support was also included.
- V1 and v2 packet format are different from each other. Both are not compatible, so both ends need to have same version configured.
In a normal scenario, HSRP works in Active/Standby fashion. Only one device behaves as Active and is responsible for all control and data plane traffic processing. The Standby router will take over the Active role in case of failure.
So what is the difference in behavior when HSRP is configured on the vPC peers. As we know vPC peers adopts Active/Standby role for Control Plane and Active/Active role for Data Plane traffic.
Same is the case with HSRP when configured with vPC.
As explained earlier, any traffic sent to the Nexus switch itself is known as Control Plane Traffic. For example, ARP requests. Only Active HSRP switch is responsible for replying to ARP requests with Virtual MAC address.
Both the HSRP vPC peers are responsible for forwarding the data traffic. The end host can use any of the link in port channel based on hashing algorithm to send the traffic. It doesn’t matter which link it use as both the switches are able to forward the traffic for the HSRP virtual MAC. Hence, not using the vPC peer link for unnecessary flooding.
No additional configuration is required to make HSRP as Active/Active, this is done by default for HSRP with vPC.
In traditional non-VPC case, only active HSRP switch will act as Gateway (G flag) for HSRP MAC in the MAC table. However with vPC, both the switches will set G flag for the HSRP MAC, hence enabling them to forward the traffic.
As explained in previous blog about the “peer-gateway” feature, the same is applicable here as well. Some applications may consider the Source ethernet mac address of the frame to be response to the ARP request instead of the Actual Source MAC in the ARP reply field. So peer-gateway is required to be configured on both devices so that they can reply to the packet destined for peer’s BIA address.
It is always recommended to have one switch as vPC primary and HSRP Active device.
Now, lets take a look at the configuration and Verification.
- Enable HSRP with “feature hsrp” command
- Configured HSRP on the SVI interface and assign virtual HSRP IP address from the same subnet.
- The device with highest priority takes the Active role and in case of tie, the device with highest IP address wins the election.
- Below is the PCAP for HSRPv2 Hello packet which shows that the packet is destined to MCAST address 22.214.171.124
- In case of failover, Standby router takes over the Active role. Once the Active comes backup, it does not preempt until unless “preempt” command is not configured under HSRP.
- Server-1 and Server-2 will have default gateway configured as HSRP virtual IP address.
- MAC table on both the vPC peers indicate HSRP vMAC as gateway.