Sorry I didn't send out the link to everyone...
Here it is again.
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml
Although it doesn't seem to specifically say it in the document, I think
the implied solution is to 'fix' the asymettric routing, then the
flooding will go away.
I came across this once out in the wild, and resolved it this way.
Happy xmas everyone.
Paul
On 30/12/2010 07:20, Ivan Hrvatska wrote:
>
> It seams that the problem is what Paul have sent in that link. So,
> conclusion is that when you leave everything working by default, you
> can have problems in scenario like this (ospf load balancing, hsrp
> load balancing, timeouts). So, you have to do some tuning, right?
>
> On Dec 30, 2010 6:39 AM, <v.shekhar_at_globalassurance.net
> <mailto:v.shekhar_at_globalassurance.net>> wrote:
> > Your analysis of the problem looks good, also the workaround are fine.
> > another option would be to configure a static MAC binding on 6k.
> >
> > One thing i cant understand is why the packet path is asymmetric? this
> > is something which is not ideal.
> >
> >
> > Quoting Ivan Hrvatska <ivanzghr_at_gmail.com <mailto:ivanzghr_at_gmail.com>>:
> >
> >> Here it is:
> >>
> >> http://rapidshare.com/files/439826677/6k_7k.jpg
> >>
> >> Regards
> >>
> >> On Wed, Dec 29, 2010 at 12:56 AM, Paul Cocker <paul.cocker_at_gmx.com
> <mailto:paul.cocker_at_gmx.com>> wrote:
> >>> can you upload a visio somewhere so we can have a look?
> >>>
> >>> On 28/12/2010 23:43, Ivan Hrvatska wrote:
> >>>>
> >>>> I figured it out. The problem is in fact that arp timeout is 4
> hours and
> >>>> mac
> >>>> aging time is 6 minutes on 6k switches. Doesn't have anything to
> do with
> >>>> asa. Two 6k switches are connected with two wan routers with 4 p2p L3
> >>>> links
> >>>> and between them is ospf. So, when first packet comes from wan
> cloud 6k1
> >>>> looks at routing table and sees that destination host is on directly
> >>>> connected network. It sends arp and it gets respons that host is
> in vlanif
> >>>> 514. Mac table also learns that host's mac is in interface
> between 6k1 and
> >>>> 6k2. Since 6k2 has p2p L3 link with primary Wan router, packet
> from S to H
> >>>> never goes back to 6k1. After 6 min 6k1 removes entry from mac
> table but
> >>>> arp
> >>>> entry remains. When next packet from H to S comes to 6k1, it
> doesn't know
> >>>> on
> >>>> which port to send frame, so it floods on all ports in vlan 514.
> >>>> So, now I'm considering option to have only 6k1 as active hsrp gw
> and root
> >>>> bridge for all vlans. Right now I have half vlans active on 6k1
> and other
> >>>> half on 6k2. Also, to configure arp timeout 2 hours and mac aging
> little
> >>>> bit
> >>>> less than 2 hours. Also, on p2p L3 links between 6k and wan
> routers to
> >>>> configure cost so that traffic takes only one path. It seems
> littlr bit
> >>>> hard
> >>>> to follow flow of the traffic with ospf load balancing and load
> balancing
> >>>> at
> >>>> layer 2.
> >>>> What do you think?
> >>>>
> >>>> On Dec 28, 2010 9:58 PM, "Vijay
> Shekhar"<v.shekhar_at_globalassurance.net
> <mailto:v.shekhar_at_globalassurance.net>>
> >>>> wrote:
> >>>>>
> >>>>> I am a bit confused by your statement. May be its just me.
> >>>>>
> >>>>> You mentioned that 6k1 - 6k2 and 2960 are in L2 domain, and you also
> >>>>> mention that 6k2 should do interval Routing. There are
> contradictory.
> >>>>>
> >>>>> If 6k2 is indeed doing interval routing then 6k1 will see the MAC
> >>>>> address of 6k2 SVI to reach "s".
> >>>>>
> >>>>> It would perhaps he helpful if you can list out the VLAN #'s SVI IPs
> >>>>> and S& H IPs.
> >>>>>
> >>>>> Cheers!
> >>>>>
> >>>>> -Vijay Shekhar
> >>>>> CCIE(sec)#17589/CISSP/RHCE.
> >>>>> http://au.linkedin.com/in/vshekhar
> >>>>>
> >>>>>
> >>>>> Quoting Ivan Hrvatska<ivanzghr_at_gmail.com
> <mailto:ivanzghr_at_gmail.com>>:
> >>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> I have scenario like this:
> >>>>>>
> >>>>>> H---Asa----6k1-----6k2
> >>>>>> ! !
> >>>>>> ! !
> >>>>>> 2960sw
> >>>>>> !
> >>>>>> S
> >>>>>>
> >>>>>> H-host in cloud (172.30.4.5), somewhere in distance network.y
> >>>>>> Asa-running in transparent mode
> >>>>>> Between 6k switches and 2960 is l2 domain (trunks).
> >>>>>> 6k switches running hsrp and 6k2 is active gw for vlans 500 and
> 514. It
> >>>>
> >>>> is
> >>>>>>
> >>>>>> also root bridge for those vlans. Asa has one IP in vlan 500.
> >>>>>> S is in vlan 514.
> >>>>>> Problem is that 6k1 never learns mac address of S. When traffic
> comes
> >>>>
> >>>> from H
> >>>>>>
> >>>>>> 6k1 floods network with packets that should go to S. Only time
> when 6k1
> >>>>>> learns S mac address is when you ping S from 6k1. After 480 sec
> is aging
> >>>>>> time and mac address is cleared. As I understand 6k1 should forward
> >>>>
> >>>> packets
> >>>>>>
> >>>>>> which has S as destanation to 6k2 as it is active gw for vlan
> 500 and
> >>>>
> >>>> then
> >>>>>>
> >>>>>> 6k2 should perform intervlan routing. Why flooding happens?
> Could asa
> >>>>
> >>>> make
> >>>>>>
> >>>>>> some problems cause of transparent mode?
> >>>>>>
> >>>>>> Regards
> >>>>>>
> >>>>>>
> >>>>>> Blogs and organic groups at http://www.ccie.net
> >>>>>>
> >>>>>>
> _______________________________________________________________________
> >>>>>> Subscription information may be found at:
> >>>>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>
> >>>> Blogs and organic groups at http://www.ccie.net
> >>>>
> >>>>
> _______________________________________________________________________
> >>>> Subscription information may be found at:
> >>>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>>
> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Dec 30 2010 - 17:39:39 ART
This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:50 ART
