Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
May 20, 2015

VRRP/HSRP and auto last hop tunning - why necessary?

Hi,

 

I have to be missing something important here as I can not at all understand why actions described in SOL9487: BIG-IP support for neighboring VRRP/HSRP routers are required.

 

My understanding of virtual router group behavior (for both VRRP/HSRP) is that this is Active/Passive not Active/Active. What I mean is that at given moment only one physical router is responsible for forwarding traffic to BIG-IP using virtual MAC. So always traffic last hop for BIG-IP is equal to virtual MAC of router group.

 

It's doesn't matter which physical router is master at given time, it's still sending traffic from virtual MAC that floated from previous master. Moreover virtual router group (VRG) is for me self contained object - I mean for other devices it looks like single device, external devices has no reason to find out what is going on inside VRG, all they care about is if virtual MAC/IP are up and accepting traffic. VRP is responsible for detecting members failure and react appropriately (using VRRP/HSRP protocol) so external devices should not care about monitoring members, as long as at least one member is up def gateway will be reachable and routing traffic - still using same vMAC and vIP.

 

So after long introduction here is my question:

 

  1. Why BIG-IP should use separate monitors for each member of VRG - why BIG-IP should care if given physical router is up or down? For BIG-IP it should be important if vIP/MAC is up, providing redundancy is task of VRG itself

     

  2. As far as I understand when VRG is receiving external traffic that should be routed to BIG-IP it will be always sourced from current master (as far as physical router is concerned) using ALWAYS vMAC as source MAC, so never physical router MAC will be used for traffic directed to BIG-IP from VRG - AM I right or wrong here?

     

If so why to mess with creating Last Hop Pool (LHP) or disabling Auto Last Hop (ALH)? For me ALH should work perfectly well, it will send returning traffic to vMAC of VRG as it is always source of traffic, no matter which physical router is active. Even if this is different one that was sending given packet to BIG-IP (because this physical router just failed and another was elected as master) it is still accepting returning traffic directed to vMAC.

 

Considering LHP - for me this is necessary if we have pool of routers that are NOT sharing vMAC. So after failover new router is using own MAC as target for returning traffic (only IP is floating). Then ALH will fail as it will be trying to send traffic to source MAC of original incoming packet, but this MAC won't be available any more.

 

However when LHP is set and ALH disabled BIG-IP will be able to do reselect and send traffic to MAC of new router that took over.

 

So if I am correct with above why to mess with ALH and LHP as described in mentioned SOL?

 

Again I have to be missing something important but can't figure out what :-(

 

Piotr

 

2 Replies

  • Hi Piotr,

     

    yes your assumption 2 is not correct. HSRP e.g. uses it's physical router MAC as source not the virtual MAC associated with the VIP. It gets even worse when using Cisco's vPC. In this case you will see all physical MACs as source depending which physical device forwards the packet. They behave like active/active for sending packets regardless which one is active for the group an owns the VIP.

     

    IMHO the default setting using auto last hop is kind of dangereous as it is not compatible with HSRP, VRRP, ClusterXL which are used in many environments. Why not just use the routing table which will allways forward return traffic to the VIPs MAC? It's not as smart but won't lead to problems where admins don't know the details about redundancy protocols...

     

    Cheers

     

    Alex

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      Hi, Thanks a lot. Very valuable info. To be on safe side I do disable global Auto Last Hop for installations when this technologies are involved. Piotr