Active gateway over VSX

Active gateway is a first hop redundancy protocol that eliminates a single point of failure. The active gateway feature is used to increase the availability of the default gateway servicing hosts on the same subnet. An active gateway improves the reliability and performance of the host network by enabling a virtual router to act as the default gateway for that network.

If you have enabled active gateway, VRRP is not required. Active gateway is similar to VRRP in that routed traffic from the VSX node is sourced from the switch interface MAC and not the virtual MAC address (VMAC). Each active gateway sends a periodic broadcast hello packet to avoid VMAC aging on the access switches. The switch views the active gateway IP as a self IP address.

Active gateway is preferable over VRRP because with VRRP traffic is still pushed over the ISL link, resulting in latency in the network.

VMACs and active gateway

There can be only one virtual MAC address (VMAC) each for IPv4 and IP6, and the VIP and VMAC must be the same on both VSX switches.

You can have a maximum of 16 different VMACs per VSX pair. You can configure the same VMAC for both IPv4 and IPv6. For example: You can have a maximum of eight VMACs for IPv4, simultaneously having a maximum of eight VMACs for IPv6.

NOTE: Only 15 VMACs are supported on 6400 switch series.

If a VMAC is different for IPv4 and IPv6, the switch creates two different interfaces, one for IPv4 and another for IPv6: 

interface vlan2
active-gateway ip mac 0a:0b:0c:0d:0e:0e
active-gateway ipv6 mac 00:00:00:00:00:01

0020a0b0c0d0e0eLink encap:Ethernet HWaddr 0A:0B:0C:0D:0E:0E

002000000000001Link encap:Ethernet HWaddr 00:00:00:00:00:01

If a VMAC is the same for IPv4 and IPv6, only one kernel interface is created for both IPv4 and IPv6: 

interface vlan3
active-gateway ip mac 00:00:00:00:00:01
active-gateway ipv6 mac 00:00:00:00:00:01

003000000000001Link encap:Ethernet HWaddr 00:00:00:00:00:01
NOTE:

Do not use peer system MAC address as an active-gateway VMAC. If same MAC address is used, the VSX synchronization will try to sync the configuration on secondary switch and cause traffic disruptions.

Requirements

  • Before configuring active gateway, confirm that an IP address is on the SVI that is in the same subnet as the active gateway IP you are trying to configure. If an active gateway IP does not have an SVI IP with the same subnet, the CLI allows the configuration, but the active gateway IP will not be programmed in the kernel, resulting the active gateway to be unreachable.

  • An active gateway can be configured only over an SVI. If active gateway and SVI IP addresses are the same, make sure that SVI IP addresses are consistent across VSX switches. If you have a VSX square topology that contains two pairs of VSX switches, make sure that you do not have the same IP address across all four VSX nodes in the square topology.

  • Having same VMAC on different VSX segments in a square topology is not supported on 8320 and 8325 switch series as the packets will be consumed instead of forwarding. Ensure that you have different VMACs configured on the two VSX segments.

  • If a system has active forwarding enabled, reduce one VMAC from the total number of VMACs supported in the system. An active gateway can have a maximum of 14 "unique" MAC addresses per system, both IPv4 and IPv6 addresses are included in the count.

  • If a system has active forwarding disabled, an active gateway can have a maximum of 16 "unique" MAC addresses per system, both IPv4 and IPv6 addresses are included in the count.

  • With IP multinetting, a maximum of 32 IPv4 active gateway and a maximum of 31 IPv6 active gateway can be configured. A recommended configuration is a multidimension scale (MD) scale and a maximum network limit, along with four IPv4 active gateways and four IPv6 active gateways per SVIs with a maximum of 512 SVIs per chassis.

    An MD scale is when the VSX active-gateway along with other supported features, such as layer 2, layer 3, and multi-VRF are enabled and the system response/stability is validated against them.

  • Link local IPv6 virtual IP address of an active gateway address is multicasted for router advertisement so that the IPv6 address can be chosen as a default gateway.

  • Active gateway configuration must be the same in both the VSX peer switches.

  • Disable IP ICMP redirect when IP multinetting is enabled.

  • Disable ICMP redirect when routing is enabled through an active gateway SVI where egress port belongs to same VLAN as ingress.

Example of IPv4 and IPv6 active gateways on an SVI

Assume that you have IPv4 and IPv6 active gateways on an SVI. Each SVI uses a MAC address for IPv4 and one for IPv6. The configuration of the VSX with an active-gateway consumes a second MAC address per SVI. 

switch# sh int vlan10

Interface vlan10 is up
Admin state is up
Description: ACCESS switch mgmt
Hardware: Ethernet, MAC Address: 98:f2:b3:68:71:fe
IPv4 address 10.1.1.253/24
Rx
       L3:
            0 packets, 0 bytes
Tx
       L3:
            0 packets, 0 bytes

switch# sh run int vlan141
interface vlan141
   description USER VLAN 10.141.0.0/16
   ip address 10.141.255.253/16
   ip ospf 1 area 0.0.0.0
   ip pim-sparse enable
    ip igmp enable
    ip igmp version 2
   exit
switch# config
switch(config)# int vlan10
switch(config-if-vlan)# active-gateway ip 10.1.1.254 mac 00:00:00:10:11:12
switch# sh int vlan10

Interface vlan10 is up
Admin state is up
Description: ACCESS switch mgmt
Hardware: Ethernet, MAC Address: 98:f2:b3:68:71:fe
IPv4 address 10.1.1.253/24
active gateway 10.1.1.254           00:00:00:10:11:12
Rx
       L3:
            0 packets, 0 bytes
Tx
       L3:
            0 packets, 0 bytes