Wired Intelligent Edge

Hi

    I'm wondering how Aruba vsx treats the scenario in which the devices such as NAS server or load balancer is connected to both VSX members with a LAG. In Cisco NEXUS VPC, the command "vpc peer-gateway" is used to resolve the problem. Otherwise, NEXUS1 discards the return packet received on peer-link from NEXUS2 which is originated from the NAS or load-balancer. NAS/load balancer doesn't use the virtual MAC, only the "physical" MAC of NEXUS1 or 2. I can't find anything in Aruba related to it. 

    Thanks. 

I'm not fully aware of how the "vpc peer-gateway" command works. However, if I'm correct, when this is configured the switch will source the routed packets from the virtual MAC instead of the system MAC.

For VSX / Active Gateway we have the same kind of option. When traffic is routed or source from a SVI with Active Gateway configured the source MAC is the system MAC. It is not the Active Gateway virtual MAC. This is normally fine because system will use ARP to discover the gateway MAC. However, there are some devices like load balancer that will return traffic to the source MAC of the source. 

To override this behavior and set the virtual MAC as source MAC you can use the command "active-gateway l3-src-mac" within the SVI context. 

Hi

    I'm wondering how Aruba vsx treats the scenario in which the devices such as NAS server or load balancer is connected to both VSX members with a LAG. In Cisco NEXUS VPC, the command "vpc peer-gateway" is used to resolve the problem. Otherwise, NEXUS1 discards the return packet received on peer-link from NEXUS2 which is originated from the NAS or load-balancer. NAS/load balancer doesn't use the virtual MAC, only the "physical" MAC of NEXUS1 or 2. I can't find anything in Aruba related to it. 

    Thanks. 

Hi Willem

    I dug into it a bit more and your answer is exactly what I was looking for!!! Load balancer or NAS server only sees the MAC address it receives and replies to those MAC addresses instead of doing ARP for the "virtual" IP (HSRP/VRRP), the real gateway IP. If I get it right from your answer, WITHOUT this "l3-src-mac" enabled on vsx, vsx member send the traffic with NAS/Load balancer, the traffic should be labelled with VSX member "physical" MAC, just like what NEXUS VPC does. But after l3-src-mac feature is enabled, the source MAC becomes the virtual MAC.

I'm not fully aware of how the "vpc peer-gateway" command works. However, if I'm correct, when this is configured the switch will source the routed packets from the virtual MAC instead of the system MAC.

For VSX / Active Gateway we have the same kind of option. When traffic is routed or source from a SVI with Active Gateway configured the source MAC is the system MAC. It is not the Active Gateway virtual MAC. This is normally fine because system will use ARP to discover the gateway MAC. However, there are some devices like load balancer that will return traffic to the source MAC of the source. 

To override this behavior and set the virtual MAC as source MAC you can use the command "active-gateway l3-src-mac" within the SVI context. 

Hi

    I'm wondering how Aruba vsx treats the scenario in which the devices such as NAS server or load balancer is connected to both VSX members with a LAG. In Cisco NEXUS VPC, the command "vpc peer-gateway" is used to resolve the problem. Otherwise, NEXUS1 discards the return packet received on peer-link from NEXUS2 which is originated from the NAS or load-balancer. NAS/load balancer doesn't use the virtual MAC, only the "physical" MAC of NEXUS1 or 2. I can't find anything in Aruba related to it. 

    Thanks. 

Yes exactly. TBH, this active gateway feature is not exclusive for a VSX setup. But yes, the "l3-src-mac" will change the behavior and will help devices that will not use ARP to send responses. 

Hi Willem

    I dug into it a bit more and your answer is exactly what I was looking for!!! Load balancer or NAS server only sees the MAC address it receives and replies to those MAC addresses instead of doing ARP for the "virtual" IP (HSRP/VRRP), the real gateway IP. If I get it right from your answer, WITHOUT this "l3-src-mac" enabled on vsx, vsx member send the traffic with NAS/Load balancer, the traffic should be labelled with VSX member "physical" MAC, just like what NEXUS VPC does. But after l3-src-mac feature is enabled, the source MAC becomes the virtual MAC.

I'm not fully aware of how the "vpc peer-gateway" command works. However, if I'm correct, when this is configured the switch will source the routed packets from the virtual MAC instead of the system MAC.

For VSX / Active Gateway we have the same kind of option. When traffic is routed or source from a SVI with Active Gateway configured the source MAC is the system MAC. It is not the Active Gateway virtual MAC. This is normally fine because system will use ARP to discover the gateway MAC. However, there are some devices like load balancer that will return traffic to the source MAC of the source. 

To override this behavior and set the virtual MAC as source MAC you can use the command "active-gateway l3-src-mac" within the SVI context. 

Hi

    I'm wondering how Aruba vsx treats the scenario in which the devices such as NAS server or load balancer is connected to both VSX members with a LAG. In Cisco NEXUS VPC, the command "vpc peer-gateway" is used to resolve the problem. Otherwise, NEXUS1 discards the return packet received on peer-link from NEXUS2 which is originated from the NAS or load-balancer. NAS/load balancer doesn't use the virtual MAC, only the "physical" MAC of NEXUS1 or 2. I can't find anything in Aruba related to it. 

    Thanks. 

Hello Willem, a question (hope not to be too off-topic): considering a scenario where a VSX with Active Gateway configured without the "active-gateway l3-src-mac" option (thus no option within each SVI context), is running in production with peers connected through VSX (active) LAGs...what is going to happen to current communications if the "active-gateway l3-src-mac" option is suddenly enabled? should we expect to see VSX LAGs to briefly flicker (down->up)?

Original Message:
Sent: Mar 03, 2025 03:19 AM
From: willembargeman
Subject: Cisco's vpc peer-gateway in Aruba vsx

Yes exactly. TBH, this active gateway feature is not exclusive for a VSX setup. But yes, the "l3-src-mac" will change the behavior and will help devices that will not use ARP to send responses. 

------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125

Original Message:
Sent: Mar 02, 2025 03:57 PM
From: rice
Subject: Cisco's vpc peer-gateway in Aruba vsx

Hi Willem

    I dug into it a bit more and your answer is exactly what I was looking for!!! Load balancer or NAS server only sees the MAC address it receives and replies to those MAC addresses instead of doing ARP for the "virtual" IP (HSRP/VRRP), the real gateway IP. If I get it right from your answer, WITHOUT this "l3-src-mac" enabled on vsx, vsx member send the traffic with NAS/Load balancer, the traffic should be labelled with VSX member "physical" MAC, just like what NEXUS VPC does. But after l3-src-mac feature is enabled, the source MAC becomes the virtual MAC.

Original Message:
Sent: Feb 26, 2025 02:04 PM
From: Willem Bargeman
Subject: Cisco's vpc peer-gateway in Aruba vsx

I'm not fully aware of how the "vpc peer-gateway" command works. However, if I'm correct, when this is configured the switch will source the routed packets from the virtual MAC instead of the system MAC.

For VSX / Active Gateway we have the same kind of option. When traffic is routed or source from a SVI with Active Gateway configured the source MAC is the system MAC. It is not the Active Gateway virtual MAC. This is normally fine because system will use ARP to discover the gateway MAC. However, there are some devices like load balancer that will return traffic to the source MAC of the source. 

To override this behavior and set the virtual MAC as source MAC you can use the command "active-gateway l3-src-mac" within the SVI context. 

------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125

Original Message:
Sent: Feb 25, 2025 08:50 PM
From: rice
Subject: Cisco's vpc peer-gateway in Aruba vsx

Hi

    I'm wondering how Aruba vsx treats the scenario in which the devices such as NAS server or load balancer is connected to both VSX members with a LAG. In Cisco NEXUS VPC, the command "vpc peer-gateway" is used to resolve the problem. Otherwise, NEXUS1 discards the return packet received on peer-link from NEXUS2 which is originated from the NAS or load-balancer. NAS/load balancer doesn't use the virtual MAC, only the "physical" MAC of NEXUS1 or 2. I can't find anything in Aruba related to it. 

    Thanks. 

Yes exactly. TBH, this active gateway feature is not exclusive for a VSX setup. But yes, the "l3-src-mac" will change the behavior and will help devices that will not use ARP to send responses. 

Hi Willem

    I dug into it a bit more and your answer is exactly what I was looking for!!! Load balancer or NAS server only sees the MAC address it receives and replies to those MAC addresses instead of doing ARP for the "virtual" IP (HSRP/VRRP), the real gateway IP. If I get it right from your answer, WITHOUT this "l3-src-mac" enabled on vsx, vsx member send the traffic with NAS/Load balancer, the traffic should be labelled with VSX member "physical" MAC, just like what NEXUS VPC does. But after l3-src-mac feature is enabled, the source MAC becomes the virtual MAC.

I'm not fully aware of how the "vpc peer-gateway" command works. However, if I'm correct, when this is configured the switch will source the routed packets from the virtual MAC instead of the system MAC.

For VSX / Active Gateway we have the same kind of option. When traffic is routed or source from a SVI with Active Gateway configured the source MAC is the system MAC. It is not the Active Gateway virtual MAC. This is normally fine because system will use ARP to discover the gateway MAC. However, there are some devices like load balancer that will return traffic to the source MAC of the source. 

To override this behavior and set the virtual MAC as source MAC you can use the command "active-gateway l3-src-mac" within the SVI context. 

Hi

    I'm wondering how Aruba vsx treats the scenario in which the devices such as NAS server or load balancer is connected to both VSX members with a LAG. In Cisco NEXUS VPC, the command "vpc peer-gateway" is used to resolve the problem. Otherwise, NEXUS1 discards the return packet received on peer-link from NEXUS2 which is originated from the NAS or load-balancer. NAS/load balancer doesn't use the virtual MAC, only the "physical" MAC of NEXUS1 or 2. I can't find anything in Aruba related to it. 

    Thanks. 

Thanks for finding it out for me! I would say "l3-src-mac" should be a best practice to configure just like vpc peer-gateway is always advised to be configured on Cisco NEXUS. The trainer didn't even know this "l3-src-mac" configs during the course. 

All good, I'll close the topic. 

Appreciate it again! 

Yes exactly. TBH, this active gateway feature is not exclusive for a VSX setup. But yes, the "l3-src-mac" will change the behavior and will help devices that will not use ARP to send responses. 

Hi Willem

    I dug into it a bit more and your answer is exactly what I was looking for!!! Load balancer or NAS server only sees the MAC address it receives and replies to those MAC addresses instead of doing ARP for the "virtual" IP (HSRP/VRRP), the real gateway IP. If I get it right from your answer, WITHOUT this "l3-src-mac" enabled on vsx, vsx member send the traffic with NAS/Load balancer, the traffic should be labelled with VSX member "physical" MAC, just like what NEXUS VPC does. But after l3-src-mac feature is enabled, the source MAC becomes the virtual MAC.

I'm not fully aware of how the "vpc peer-gateway" command works. However, if I'm correct, when this is configured the switch will source the routed packets from the virtual MAC instead of the system MAC.

For VSX / Active Gateway we have the same kind of option. When traffic is routed or source from a SVI with Active Gateway configured the source MAC is the system MAC. It is not the Active Gateway virtual MAC. This is normally fine because system will use ARP to discover the gateway MAC. However, there are some devices like load balancer that will return traffic to the source MAC of the source. 

To override this behavior and set the virtual MAC as source MAC you can use the command "active-gateway l3-src-mac" within the SVI context. 

Hi

    I'm wondering how Aruba vsx treats the scenario in which the devices such as NAS server or load balancer is connected to both VSX members with a LAG. In Cisco NEXUS VPC, the command "vpc peer-gateway" is used to resolve the problem. Otherwise, NEXUS1 discards the return packet received on peer-link from NEXUS2 which is originated from the NAS or load-balancer. NAS/load balancer doesn't use the virtual MAC, only the "physical" MAC of NEXUS1 or 2. I can't find anything in Aruba related to it. 

    Thanks.