And as a virtual machine can be located on DC A or DC B, we cannot have static path between the client and the server. If we consider the diagram below we are facing a tromboning issue when a User on site B tries to reach a VM located in DC B.
The traffic follows the path:
client in site B -> router on DC B -> VM (vlan directly connected) -> Gateway in DC A -> Router DC B -> client in site B
However the optimal is:
client in site B -> router on DC B -> VM (vlan directly connected) -> Gateway in DC B -> Router DC B -> client in site B
In order to have this path, we have to have 2 actives HSRP routers on the same vlan.
This can obtained by filtering HSRP request between site on the port-channel.
This can easily be done with the following PACL:
ip access-list extended HSRP-FILTER
10 deny udp any 224.0.0.2 0.0.0.0 eq 1985
20 deny udp any 224.0.0.102 0.0.0.0 eq 1985
30 permit ip any any
!
interface port-channel 10
access-group mode prefer port
ip access-group HSRP-FILTER in
However, we will have a duplicate IP address and logs messages will be generated.
On a Nexus, we can stop this log with the command below on the bvi:
no ip arp gratuitous hsrp duplicate
In my case, I was using Catalyst to interconnect my DC. 'Gratuitous arp' are the source of my problem! This message are sent by the router to announce their IP and their associated MAC. To filter this message and all ARP coming from the HSRP (other site), you can use the PACL to filter it.
As we know how a MAC is built in HSRP, this ACL filter all arp message coming with an address MAC of a HSRP (v1 and v2) source:
mac access-list extended FILTER-ARP-HSRP
deny 0000.0c07.ac00 0000.0000.00ff any
deny 0000.0c9f.f000 0000.0000.0fff any
permit any any
!
int po 10
mac access-group FILTER-ARP-HSRP in
No comments:
Post a Comment