This post is a discussion about how OSPF neighbour can be connected to VSX pair and how VSX Active forwarding will resolve the suboptimal forwarding.
Topology:
OSPF Related Config:
6300F Switch Config
|
Agg1 Config
|
Agg2 Config
|
vlan 41-42
interface 1/1/25
no shutdown
mtu 9198
no routing
vlan trunk native 1
vlan trunk allowed 41
spanning-tree bpdu-filter
interface 1/1/26
no shutdown
mtu 9198
no routing
vlan trunk native 1
vlan trunk allowed 42
spanning-tree bpdu-filter
interface vlan 41
ip address 10.5.41.4/24
ip ospf 1 area 0.0.0.0
interface vlan 42
ip address 10.5.42.4/24
ip ospf 1 area 0.0.0.0
interface loopback 0
ip address 10.5.0.4/32
ip ospf 1 area 0.0.0.0
router ospf 1
router-id 10.5.0.4
area 0.0.0.0
|
vlan 41
interface 1/1/1
no shutdown
mtu 9198
description sw1-6300
no routing
vlan trunk native 1
vlan trunk allowed 41
interface vlan 41
ip address 10.5.41.2/24
ip ospf 1 area 0.0.0.0
interface loopback 0
ip address 10.5.0.2/32
ip ospf 1 area 0.0.0.0
router ospf 1
router-id 10.5.0.2
area 0.0.0.0
|
vlan 42
interface 1/1/1
no shutdown
mtu 9198
description sw1-6300
no routing
vlan trunk native 1
vlan trunk allowed 42
interface vlan 42
ip address 10.5.42.3/24
ip ospf 1 area 0.0.0.0
interface loopback 0
ip address 10.5.0.3/32
ip ospf 1 area 0.0.0.0
router ospf 1
router-id 10.5.0.3
area 0.0.0.0
|
Verifying OSPF Neighbour:
- one VLAN interface on a Layer2 LAG to the combined VSX system.
Since every VRF would require a unique VLAN and subnet for each port, VSX also supports connecting OSPF peers over a Layer2 LAG with multiple VLAN interfaces. This reduces the number of VLAN interfaces that are required.
The administrator should note that instead of point to point connections, the transit network become an OSPF broadcast network with 3 routers on the subnet: VSX primary, VSX secondary and the peer router.
OSPF Related Config:
Controller Config
|
Agg1 Config
|
Agg2 Config
|
vlan 40
interface gigabitethernet 0/0/16
description "toagg1"
trusted
trusted vlan 1-4094
no poe
lacp group 5 mode active
lldp transmit
lldp receive
!
interface gigabitethernet 0/0/17
description "toagg2"
trusted
trusted vlan 1-4094
no poe
lacp group 5 mode active
lldp transmit
lldp receive
!
interface port-channel 5
trusted
trusted vlan 1-4094
switchport mode trunk
switchport trunk allowed vlan 1,11,40
!
interface vlan 40
ip address 10.5.40.6 255.255.255.0
ip ospf area 0.0.0.0
!
router ospf
router ospf area 0.0.0.0
|
vlan 40
interface lag 5 multi-chassis
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1,11,40
lacp mode active
spanning-tree root-guard
interface 1/1/5
no shutdown
mtu 9198
lag 5
interface vlan 40
vsx active-forwarding
ip address 10.5.40.2/24
ip ospf 1 area 0.0.0.0
interface loopback 0
ip address 10.5.0.2/32
ip ospf 1 area 0.0.0.0
router ospf 1
router-id 10.5.0.2
area 0.0.0.0
|
vlan 40
interface lag 5 multi-chassis
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed 1,11,40
lacp mode active
spanning-tree root-guard
interface 1/1/5
no shutdown
mtu 9198
lag 5
interface vlan 40
vsx active-forwarding
ip address 10.5.40.3/24
ip ospf 1 area 0.0.0.0
interface loopback 0
ip address 10.5.0.3/32
ip ospf 1 area 0.0.0.0
router ospf 1
router-id 10.5.0.3
area 0.0.0.0
|
Verifying OSPF Neighbour:
Understanding the need for Active Forwarding:
Note:
- ICMP redirect is enabled by default.
- VSX Active forwarding is disabled by default.
Two VSX systems (Primary and Secondary) should have the same routing table information.
We have an even and odd IP as source (Lo0 - 10.5.0.4 and 10.5.0.7), to force a hashing difference. Some traffic that may be destined to VSX Primary may be sent to the VSX secondary due to the LAG HASH.
If you ping from source to destination and you saw the ping packets on both Agg1 and Agg2, it means that the traffic is redirected to the other VSX node. The destination MAC of the ICMP packet will not match 1 of the 2 switches (Agg1, Agg2), so that switch will forward the traffic over the ISL. The VSX Active forwarding will resolve the suboptimal forwarding.
Disable ICMP redirect and enable Active forwarding. Once Active forwarding is enabled locally on both the Agg1 and Agg2, MAC and IP of the neighbour system are learnt and will be programmed in the ASIC for local routing.
no ip icmp redirect
interface vlanX
vsx active-forwarding
So now if you ping from both the even and odd source IP address, you will find that the traffic is routed locally by each Aggregation switch. (Only for the SVI where active forwarding was enabled). The destination MAC address of the ICMP packet will still be the other switch MAC address, but now it is handled by the local switch.
------------------------------
Kapildev Erampu
PreSales Consultant
Aruba, a Hewlett Packard Enterprise company
Sydney, Australia.
Any opinions expressed here are solely my own and not necessarily that of HPE
------------------------------