OTV FHRP filtering on a ASR router
We configured a OTV DCI in my previous post and it was working as expected and by design. But during testing of all the VLANs I discovered a problem with HSRP over OTV, but only for 1 specific VLAN. The test results:
- A ping from a host in DC1 in VLAN 10 to the HSRP address gives random drops
- A ping from a host in DC1 in any VLAN to the HSRP address pings without any problems
- Shutdown the SVI of VLAN 10 in DC2, A ping from a host in DC1 in VLAN 10 to the HSRP address without any problems
- VLAN 10 is still disabled in DC2, but a host can ping the HSRP address from DC2 to DC1. This should be impossible because of the FHRP filtering
- Changing the standby group number (they are the same in DC1 and DC2 to keep the same MAC address) partially solved the problem, but some hosts in DC1 got the HSRP MAC of DC2 in the ARP table. This is not what we want.
- Moving the SVI from a 6500 switch to a 3750 switch in DC1, none of the above problems
I still have no idea why this problem only exists for VLAN 10, all other VLANs work as expected but I’ve found a good workaround for this in the configuration guide:
First, configure a MAC access-list on both ASR routers
mac access-list extended otv_fhrp deny 0000.0c07.ac00 0000.0000.00ff host 0000.0000.0000 deny 0000.0c9f.f000 0000.0000.0fff host 0000.0000.0000 deny 0007.b400.0000 0000.00ff.ffff host 0000.0000.0000 deny 0000.5e00.0100 0000.0000.00ff host 0000.0000.0000 permit host 0000.0000.0000 host 0000.0000.0000
Apply this MAC ACL:
interface Overlay1 service instance 10 ethernet mac access-group otv_fhrp out
And to make 100% sure OTV filtering is globally enabled:
interface overlay 1 otv filter-fhrp
Start testing again and you’ll see that the ping drops are gone and HSRP (FHRP) filtering is working correctly.
I’ll update this post when TAC comes up with an explanation why this is only happening to VLAN 10 and why the problem does not exists when I move the SVI to a 3750.