From: Stefano Lassi (stefano.lassi@sysma.it)
Date: Thu Nov 13 2003 - 08:11:38 GMT-3
Dear friend I got following problem:
I have to integrate, via HSRP, two routers: one 3600 used like dialup RAS server, and a 2600 terminating some WAN FR PVCs.
Integration is oriented to use 3600 like ISDN termination for 2600 FR PVCs backup.
Of course I can avoid HSRP, but I need it to guarantee router failure backup too.
Whenever I'm going to activate HSRP beetween 2600 and 3600 (being 2600 primary) dialup connections will broken.
Following HSRP RFC 2281:
"6.4 Proxy ARP
Typically, hosts learn the HSRP virtual IP address through the
configuration of their default router. These hosts then send packets
for destinations outside of the LAN to the virtual IP address. In
some environments, hosts may instead make use of proxy ARP in order
to route off of the LAN. In this case, the hosts use the MAC address
that is supplied in proxy ARP responses. HSRP functionality is
maintained if the proxy ARP responses specify the HSRP virtual MAC
address.
If an HSRP router is configured to support proxy ARP with HSRP, then
the router MUST specify the HSRP virtual MAC address in any proxy ARP
responses it generates. These proxy ARP responses MUST not be
suppressed based upon HSRP state. Suppression based upon state could
result in lack of any proxy ARP response being generated, since these
proxy ARP responses may be suppressed due to other reasons, such as
split-horizon rules.
"
And that is actually beheviour I'm seeing: 3600 is answering proxy arp request for its dialup client using HSRP alias MAC, but it is not owner of it, being secondary.
I hoped solving it changing HSRP in new Cisco VRRP (upgrading IOS) but following VRRP RFC 2338:
"
8.3. Proxy ARP
If Proxy ARP is to be used on a VRRP router, then the VRRP router must advertise the Virtual Router MAC address in the Proxy ARP message. Doing otherwise could cause hosts to learn the real MAC address of the VRRP router.
"
Of course this behaviour is reasonable because it permit fastest failover: "When an active HSRP router receives an ARP request for a node that is not on the local LAN, the router replies with the phantom router's MAC address instead of its own. If the router that originally sent the ARP reply later loses its connection, the new active router can still deliver the traffic."
Fine thing is that in another site (3640 WAN + 3620 dialup) it worked (I'm going to compare IOS versions ...)
Anyway, dialup system is in production so I can do some test only during very off-peak time (during night, Sob!).
I planned 3 different way to test/find solution:
sol 1) Using bia mac addrees
sol 2) Create a double HSRP group (hoping 3600 will use right HSRP alias for his dialup clients proxy arp ...)
sol 3) Reconfigure Dialup Pools outside LAN range (to avoid proxy ARP issue): but I would have to reconfigure a huge list of firewall rules .....
Any idea/suggestions?
Thank you very much
Stefano Lassi
CCNP/CCDP
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:11 GMT-3