Re: [c-nsp] Quick question on HSRP...
When you move to ipv6 :) Jey S. Network Engineer CCIE #41608 Sent from my iPhone On 2 Jan 2014, at 18:17, Blake Dunlap iki...@gmail.com wrote: I'm still waiting for the day that HSRP can use pure L2 addresses to communicate and not burn 3 ips... On Wed, Jan 1, 2014 at 5:38 AM, Gert Doering g...@greenie.muc.de wrote: Hi, On Tue, Dec 31, 2013 at 07:54:10PM +, Phil Mayers wrote: On 31/12/2013 19:40, Gert Doering wrote: On Tue, Dec 31, 2013 at 03:59:18PM +, Phil Mayers wrote: (Note that changing the HSRP version does not have this property; the old vMAC will be removed from the FDB, and the box won't forward traffic destined to it) Could someone remind me why I have to change HSRP to v2 to be able to Not sure about that - maybe some fixed-size field in the HSRPv1 packet? Been a while since I looked at it in a sniffer. Having a different packet format for IPv6 makes sense, as, uh, it's not IPv4 anyway :-) - but forcing me to move our IPv4 HSRP groups to v2 (which incurs a reachability hit) to be able to enable *different* HSRP groups for IPv6 later on is just so slightly annoying. [..] HSRP has a lot of weird edge cases on Cisco gear. IIRC a lot of them relate to the size of the CPU MAC-address receive filter, and other tedious crap that wouldn't matter if they moved off CPUs from last millenium. True. Plus programmers that have never worked with a real network, where things actually *evolve* over time... [..] In fairness to Cisco, other vendors have blind spots. Juniper makes you type a truly tedious amount of config to get VRRP working, though at least commit scripts can automate that out of existence. True, that one was done by someone who never had to do a router setup as well, I bet. gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Quick question on HSRP...
On 02/01/14 17:48, Blake Dunlap wrote: I'm still waiting for the day that HSRP can use pure L2 addresses to communicate and not burn 3 ips... Yeah, that's not ideal. But why not wish for an option to remove the connected route on the standby while you're at it ;o) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Quick question on HSRP...
There wouldn't be a connected route if it's just L2 communication as the other side wouldn't have an L3 address unless it was active. On Thu, Jan 2, 2014 at 11:54 AM, Phil Mayers p.may...@imperial.ac.ukwrote: On 02/01/14 17:48, Blake Dunlap wrote: I'm still waiting for the day that HSRP can use pure L2 addresses to communicate and not burn 3 ips... Yeah, that's not ideal. But why not wish for an option to remove the connected route on the standby while you're at it ;o) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Quick question on HSRP...
I'm still waiting for the day that HSRP can use pure L2 addresses to communicate and not burn 3 ips... On Wed, Jan 1, 2014 at 5:38 AM, Gert Doering g...@greenie.muc.de wrote: Hi, On Tue, Dec 31, 2013 at 07:54:10PM +, Phil Mayers wrote: On 31/12/2013 19:40, Gert Doering wrote: On Tue, Dec 31, 2013 at 03:59:18PM +, Phil Mayers wrote: (Note that changing the HSRP version does not have this property; the old vMAC will be removed from the FDB, and the box won't forward traffic destined to it) Could someone remind me why I have to change HSRP to v2 to be able to Not sure about that - maybe some fixed-size field in the HSRPv1 packet? Been a while since I looked at it in a sniffer. Having a different packet format for IPv6 makes sense, as, uh, it's not IPv4 anyway :-) - but forcing me to move our IPv4 HSRP groups to v2 (which incurs a reachability hit) to be able to enable *different* HSRP groups for IPv6 later on is just so slightly annoying. [..] HSRP has a lot of weird edge cases on Cisco gear. IIRC a lot of them relate to the size of the CPU MAC-address receive filter, and other tedious crap that wouldn't matter if they moved off CPUs from last millenium. True. Plus programmers that have never worked with a real network, where things actually *evolve* over time... [..] In fairness to Cisco, other vendors have blind spots. Juniper makes you type a truly tedious amount of config to get VRRP working, though at least commit scripts can automate that out of existence. True, that one was done by someone who never had to do a router setup as well, I bet. gert -- USENET is *not* the non-clickable part of WWW! // www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Quick question on HSRP...
Hi, On Thu, Jan 02, 2014 at 11:48:53AM -0600, Blake Dunlap wrote: I'm still waiting for the day that HSRP can use pure L2 addresses to communicate and not burn 3 ips... Yeah. Or deactivate the standy interface, ip-routing wise, so you can ensure symmetric traffic (which helps ensure that all switches in the path see forward and reverse traffic, thus avoiding flooding). But yeah, christmas is over :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpKTi9bTkklf.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Quick question on HSRP...
Hi, On Tue, Dec 31, 2013 at 07:54:10PM +, Phil Mayers wrote: On 31/12/2013 19:40, Gert Doering wrote: On Tue, Dec 31, 2013 at 03:59:18PM +, Phil Mayers wrote: (Note that changing the HSRP version does not have this property; the old vMAC will be removed from the FDB, and the box won't forward traffic destined to it) Could someone remind me why I have to change HSRP to v2 to be able to Not sure about that - maybe some fixed-size field in the HSRPv1 packet? Been a while since I looked at it in a sniffer. Having a different packet format for IPv6 makes sense, as, uh, it's not IPv4 anyway :-) - but forcing me to move our IPv4 HSRP groups to v2 (which incurs a reachability hit) to be able to enable *different* HSRP groups for IPv6 later on is just so slightly annoying. [..] HSRP has a lot of weird edge cases on Cisco gear. IIRC a lot of them relate to the size of the CPU MAC-address receive filter, and other tedious crap that wouldn't matter if they moved off CPUs from last millenium. True. Plus programmers that have never worked with a real network, where things actually *evolve* over time... [..] In fairness to Cisco, other vendors have blind spots. Juniper makes you type a truly tedious amount of config to get VRRP working, though at least commit scripts can automate that out of existence. True, that one was done by someone who never had to do a router setup as well, I bet. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp4JCH_1TQ_s.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Quick question on HSRP...
On 30/12/2013 23:27, Jeff Kell wrote: terribly disruptive. Not sure if we want to leave the HSRP in place (thinking yes) or remove it (and the old router) after the migration, but will cross that bridge when we get there. If you plan on retaining it, remember you'll now be seeing HSRP packets on the wire continuously. Most times that doesn't matter, but in some cases e.g. wireless networks it can cause issues. Generally though, we do HSRP everywhere, even in single-router cases. It's good future-proofing, and the presence of a predictable vMAC can be handy for some operational/monitoring concerns (every VLAN FDB should have this MAC in it). So just how disruptive will introducing HSRP really be? As someone else has mentioned, IOS issues a gratuitous ARP for the new vMAC, but even if it didn't, the old interface MAC should remain unchanged and will still forward IP traffic sent to it. So introducing it should be non-disruptive, subject to a few caveats. (Note that changing the HSRP version does not have this property; the old vMAC will be removed from the FDB, and the box won't forward traffic destined to it) First, the default HSRP timers are 3/10 sec IIRC, so after pasting in the commands there will be a 10-second window when the gateway won't be responding to ARPs and the vMAC won't be installed. So I would put the commands in like this: standby 0 timers msec 100 350 ip address new standby 0 ip gw ...to get a fast transition to Active, the either default or up the timers later (generally, very aggressive msec timers are a bit risky on IOS boxes, due to most CPUs being a bit weak). Second, after introducing it, mosts hosts will have responded to the g-ARP, but some may not (very very rare in my experience), so you'll want to wait until they're all updated before moving the gateway, if you want them all to move together so you can remove the old router. HTH - we've done this many hundreds of times, and if it's a comfort, it is almost always trouble-free; I can't recall having a HSRP enabled problem in the last few years. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Quick question on HSRP...
Hi, On Tue, Dec 31, 2013 at 03:59:18PM +, Phil Mayers wrote: (Note that changing the HSRP version does not have this property; the old vMAC will be removed from the FDB, and the box won't forward traffic destined to it) Could someone remind me why I have to change HSRP to v2 to be able to do HSRP for IPv6, only to be then *not* able to run HSRP v4 and v6 in the same group anyway? Some of these developers really smoke the wrong stuff. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpI10GcIn7Y0.pgp Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Quick question on HSRP...
On 31/12/2013 19:40, Gert Doering wrote: Hi, On Tue, Dec 31, 2013 at 03:59:18PM +, Phil Mayers wrote: (Note that changing the HSRP version does not have this property; the old vMAC will be removed from the FDB, and the box won't forward traffic destined to it) Could someone remind me why I have to change HSRP to v2 to be able to Not sure about that - maybe some fixed-size field in the HSRPv1 packet? Been a while since I looked at it in a sniffer. do HSRP for IPv6, only to be then *not* able to run HSRP v4 and v6 in the same group anyway? Yeah, that's a bit odd. After all, you can have HSRP secondary IPs; seems odd you couldn't tie the v4 v6 together on one group. I do recall HSRPv2 uses different MAC ranges for the IPv4 and IPv6 vMACs. HSRP has a lot of weird edge cases on Cisco gear. IIRC a lot of them relate to the size of the CPU MAC-address receive filter, and other tedious crap that wouldn't matter if they moved off CPUs from last millenium. But it's what we've got :o( In fairness to Cisco, other vendors have blind spots. Juniper makes you type a truly tedious amount of config to get VRRP working, though at least commit scripts can automate that out of existence. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Quick question on HSRP...
Quick question for someone that's been there, done that, as I'm a bit rushed to try to lab test this... We're adding some new routers (4500Xs) for an upgraded server farm arrangement with a number of server-side vlans / VRFs. The plan was to trunk it with the existing L3 router, and fire up HSRP (v2) across them to transition the L3 routing to the new router without being too terribly disruptive. Not sure if we want to leave the HSRP in place (thinking yes) or remove it (and the old router) after the migration, but will cross that bridge when we get there. HSRP would place the current default gateway as the virtual IP, and I presume it will pick up a new MAC address. I'm concerned this will affect the active hosts with the ARP cached for their gateway. The MAC address would still be valid (should match the original gateway) but the traffic would be directed to the original (now virtual) IP, as opposed to the new physical gateway on the router. So just how disruptive will introducing HSRP really be? Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Quick question on HSRP...
Hi Jeff, My understanding is that you are basically going to replace the default gateway for in a couple of vlans. (Same IP but different MAC.) Active HSRP router will issue gratuitous ARP (gARP) when it becomes Active so there should be little disruption for the hosts inside the vlan trying to reach the default gateway. If hosts ignore gARP then they will try to forward frames to the wrong destination MAC for as long as their ARP entry is valid. Servers usually have ARP timeout of a few seconds to a few minutes where routers can have timeout of 4 hours (like Cisco) or more. HSRP is one thing. You still need to make sure the new routers know how to route packets the same way the old ones did. Good luck, JF Jean-François Dubé Technicien, Opérations Réseau IP Ingénierie Exploitation des Réseaux Vidéotron cisco-nsp cisco-nsp-boun...@puck.nether.net a écrit sur 2013-12-30 18:27:12 : De : Jeff Kell jeff-k...@utc.edu A : cisco-nsp@puck.nether.net cisco-nsp@puck.nether.net, Date : 2013-12-30 18:30 Objet : [c-nsp] Quick question on HSRP... Envoyé par : cisco-nsp cisco-nsp-boun...@puck.nether.net Quick question for someone that's been there, done that, as I'm a bit rushed to try to lab test this... We're adding some new routers (4500Xs) for an upgraded server farm arrangement with a number of server-side vlans / VRFs. The plan was to trunk it with the existing L3 router, and fire up HSRP (v2) across them to transition the L3 routing to the new router without being too terribly disruptive. Not sure if we want to leave the HSRP in place (thinking yes) or remove it (and the old router) after the migration, but will cross that bridge when we get there. HSRP would place the current default gateway as the virtual IP, and I presume it will pick up a new MAC address. I'm concerned this will affect the active hosts with the ARP cached for their gateway. The MAC address would still be valid (should match the original gateway) but the traffic would be directed to the original (now virtual) IP, as opposed to the new physical gateway on the router. So just how disruptive will introducing HSRP really be? Jeff ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/