Is it possible to make a truly active\active L3 VRRP\HSRP configuration between two Nexus in a vPC

cisco-nexushsrpport-channelvpcvrrp

I'm an admin that is used to working with older Cisco gear, the Catalyst 6500 and the like. This is my first time diving into the world of nxOS. I'm trying to create a truly active\active configuration with HSRP\VRRP at L3. As far as I'm aware HSRP\VRRP simply "floats" an IP. The scenario I want to avoid is this:

What I think will happen

The colored lines represent two different packets to two different destinations. Basically the way I see it is only one switch holds the floating IP (which is the default gateway of the server). That means all packets will work their way to the active switch as a routed hop and then work their way out. That unevenly taxes the active switch and it's associated links.

What I would like to occur is that any switch, when it sees packets with a DST MAC of the floating IP to treat it as it's own and forward it. Basically both switches should float the IP. I'd like it to work like this:

What I want to happen

I'm not really concerned with the return traffic path so long as it makes it back.

Best Answer

You actually don't have to do anything. VPC paired Nexus work exactly as you want them to.

The prerequisite is that all systems involved (i.e. the servers) are attached to the Nexus over a VPC enabled port channel of that given Nexus pair.

https://community.cisco.com/t5/networking-documents/peer-gateway-feature-on-the-nexus-7000/ta-p/3113290

Please note: That post is actually about the vpc peer gateway feature, which you don't usually need in normal circumstances. But in its first section, it also explains forwarding under normal circumstances (which apply to your case):

Attempting to quote:

Topology

{Two N7k as VPC pair, with an MLAG attached device (or host), one north, one south}

South: 

VLAN 10,
Host B, IP 10.10.10.5, MAC 0000.0000.0010
HSRP10: IP 10.10.10.1, MAC 0000.0c07.ac0a
N7K1 SVI10: MAC 0024.986f.bac1
N7K2 SVI10: MAC 0024.986f.bac2

North: 

VLAN 20 
Host A: IP 10.10.20.5, MAC 0000.0000.0020
HSRP20: IP 10.10.20.1, MAC 0000.0c07.ac14
N7K1 SVI20: MAC 0024.986f.bac1
N7K2 SVI20: MAC 0024.986f.bac2

In this scenario when HostA pings HostB the packet flow is as follows:

HostA Echo Request (pre-routing)

VLAN: 20
DMAC: 0000.0c07.ac14 (HSRP 20) 
SMAC: 0000.0000.0020
SrcIP: 10.10.20.5
DstIP: 10.10.10.5

Based upon port-channel load balancing it will hash to one N7k1 or N7k2. For the purposes of this we will assume it hashes to N7k1. N7k1 will then route the frame. Here’s the frame HostB will receive:

HostA Echo Request (post-routing)

VLAN: 10
DMAC: 0000.0000.0010
SMAC: 0024.986f.bac1
SrcIP: 10.10.20.5
DstIP: 10.10.10.5

HostB then responds with the following:

HostB Echo Reply (pre-routing)

VLAN: 10
DMAC: MAC 0000.0c07.ac0a (HSRP 10)
SMAC: 0000.0000.0010
SrcIP: 10.10.10.5
DstIP: 10.10.20.5

Again this will be subject to hashing. For the purposes of this we will assume it hashes to N7k2. N7k2 will route the frame and the frame HostA receives will look like this:

HostB Echo Reply (post-routing)

VLAN: 20
DMAC: 0000.0000.0020 
SMAC: 0024.986f.bac2
SrcIP: 10.10.10.5
DstIP: 10.10.20.5

This is how it works with a properly behaving set of hosts and works as expected.

... and then the post goes to explain the corner case where you'd need vpc peer gateway.

There's a corollary that comes out of the Nexus' default behavior: Under regular operating conditions, there should never be high traffic volume on the VPC peer link (in extenso: "workload traffic") . If there is, the admin may want to check the VPC pair for config inconsistencies or verify the state of links to downstream or upstream switches or hosts. Chances are, that not all links are up.

Related Topic