Wired Intelligent Edge

 View Only

  • 1.  Aruba-CX VRRP between VSX clusters

    Posted May 17, 2023 04:46 AM

    I am looking for a smart way to connect  a HCI backend to two datacenters:  primary and backup. There are two VSX pairs of 8325 it those DCs running BGP EVPN. Now I need to connect the HCI backend network which consist of two pairs of DELL OS10 switches (in a VLT setup).

    There are two vlans (1001,1002) and two IP networks in the HCI network which have to have L3 connectivity to the witness site. My idea is to setup those vlans with L3 SVI  on both Aruba clusters, and configure VRRP between them and connect  this to the  Dell switches, preferably with LAGs. Is it even possible? And then how to distribute HCI networks over  BGP in a such way that only the VRRP master will be announcing them?

    Here is a simplified diagram: 



  • 2.  RE: Aruba-CX VRRP between VSX clusters

    Posted May 17, 2023 05:36 AM

    Hi

    Why do you think only the VRRP master should inject the routes to the fabric network? This doesn't sound very meaningful to me. If you want a symmetric communication flow it's not the local VRRP master which is relevant but the "remote" VRRP master which is actively forwarding traffic towards the VXLAN fabric. The two VRRP masters may not necessarily be direct neighbors. Maybe I don't get the point here. 

    I would avoid the use of VRRP on the Aruba side as this is active/passive whereas using ActiveGateway is active/active. What about using a routing protocol between the HCI network and your VXLAN fabric instead of static routes + VRRP/AG? With this you perhaps achieve the best results and/or control about the paths available.

    Regards, 
    Thomas


    Original Message


  • 3.  RE: Aruba-CX VRRP between VSX clusters

    Posted May 17, 2023 05:57 AM

    I do no need a symmetric communication. The HCI network (VMware VSAN stretched cluster)  needs L3 communication to the witness host from both vlans and the vCenter server and hosts management interfaces are in one of them. The Dell switches are L2 only.  I can't create vlan on Aruba switches stretch it over both DCs and connect it to HCI switches on both ends because it will create a loop.  Currently I have standard vmware cluster and only one connection in the primary DC but I need  to convert it to the stretched cluster  and this requires redundant connectivity  to the witness host. The production/vm traffic goes trough the links between Aruba switches. I need only management access to the hosts in HCI vlans. Does it make more sense?


    Original Message


  • 4.  RE: Aruba-CX VRRP between VSX clusters

    Posted May 17, 2023 07:29 AM

    Okay, I think now I get your point. It's not that much about VRRP or ActiveGateway but more about the situation that you cannot connect a single L2 broadcast domain to multiple pairs of leafs while the same time transporting the network through the VXLAN fabric using an L2VNI. This will create a loop. 

    So if you cannot connect your HCI pod in a routed way, there is perhaps only the option to deploy a separate pair of VSX-clustered leaf switches which is streched across DC borders. That was my solution in a similar case when I had to redundantly connect parts of the network to both the DCs. Otherwise you would end up with either only a single path through one of the DCs or a loop.
    Theoretically you could disable the forwarding of the respective VLAN through the VXLAN fabric (e.g. do not add a L2VNI) and instead use the HCI backend as a path from DC1 to DC2. With that you then could configure either VRRP or AG to provide the L3 gateway. With that you don't have a loop but still are connected. 



    Original Message


  • 5.  RE: Aruba-CX VRRP between VSX clusters

    Posted May 17, 2023 08:22 AM

    > Theoretically you could disable the forwarding of the respective VLAN through the VXLAN fabric (e.g. do not add a L2VNI) and instead use the HCI backend as a path from DC1 to DC2. With that you then could configure either VRRP or AG to provide the L3 gateway. With that you don't have a loop but still are connected. 

    This is exactly my idea, but as far as I know AG and VRRP are mutualy exclusive? VRRP should  work well trough the HCI network  i.e. DC1-CORE1 switch  has SVI in local to DC2 vlans 1001 and 1002, DC 2-CORE1 also but with other IPs so they will see each other  and create vrrp session. But then how do I publish vlans 1001 and 1002  networks in BGP from the VRRP master only? IP interfaces will be UP on both switches but the VRRP VIP will be active only on one of them so it will create asymmetric routing. I can add a route-map to make path trough vrrp backup switch worse than trough primary but it could create some other  interesting problems


    Original Message


Related Content