Quality is Connecting Knowledge

home-blauwe balk-Quality.svg

Blog

« Terug

What should you watch out for when deploying VRRP and QinQ tunnels?

wat-doen-wij-diensten-consultancy-3-quality.jpg28 mrt

This blog explains a scenario in which the design of VRRP, in combination with QinQ, plays a critical role.

 VRRP is a technology that enables the creation of a highly available layer 3 (IP) gateway for clients/endpoints. It is one of the First Hop Redundancy Protocols (FHRP) alongside HSRP and GLBP. VRRP provides the IP gateway function in an "active-passive" format using two separate network components, which results in device redundancy. This redundancy ensures that the IP gateway remains available in the event of a failure of one of the network components, such as broken cabling or power failure. In such a case, the active role for the gateway will shift between the network components.

 QinQ is a technology that allows the transport of the same VLANs over a shared infrastructure without interfering with each other. It is often used by organizations such as Service Providers that provide network transport, for example between data centers.

Blog FHRP - figuur 3 

Figure 1-1 - VRRP and QinQ

Why does VRRP work without problems in case the same group is used between two switches?

VRRP uses a virtual MAC address, which is partly determined by the VRRP group used. In other words, if group 1 is used, it will always lead to the same virtual MAC address unless it is overridden manually by specifying which virtual MAC address to use.

 When a switch has to make a decision to send a frame, it does so based on the MAC address. The switch maintains a table that contains information about which port leads to which MAC address. In theory, it would lead to problems if multiple networks used the same VRRP group because multiple networks would use the same MAC address for different gateways. In practice, however, this often works flawlessly because most switches use "Independent VLAN learning." This means that the decision is not only based on MAC address but also on the 802.1Q VLAN tag (Figure 1-2). This allows the same MAC address to appear more frequently in different VLANs.

Why is this still a problem in combination with QinQ if switches use IVL?

QinQ uses double-tagged frames (Figure 1-3). However, only the "Nested VLAN" value in the frame, also called "Service Provider VLAN," is used by the switches that provide the QinQ tunnels. This makes it possible to transport the same VLANs for different customers over the shared infrastructure. Because the VRRP MAC address is determined by the group ID, using the same group ID can cause problems. If the same group ID is used in different VLANs, the same MAC address exists in different VLANs. In combination with QinQ, it is possible that as soon as two VRRP groups are active in different locations, this can lead to MAC flapping. This is because the same MAC address is used in combination with the same "service provider" VLAN.

Blog Dylan - Figuur 1-2

Figure 1-2 - IEEE 802.1Q frame

Blog FHRP - figuur 2

Figure 1-3 - IEEE 802.1ad (QinQ) frame

Configuration

The configuration below can mimic the problem. It is essential to note that QinQ applies to all VLANs. With the configuration below, you will experience connectivity issues because "MAC flapping" occurs on the switches that provide the QinQ. This problem can be solved by keeping the VRRP groups unique per interface VLAN.

Configuration switch 1

interface vlan 10

 ip address 10.10.10.1 255.255.255.0

 vrrp 1 ip 10.10.10.254

 vrrp priority 110

!

interface vlan 20

 ip address 10.10.10.1 255.255.255.0

 vrrp 1 ip 10.20.20.254

 vrrp priority 120

Configuration switch 2

interface vlan 10

 ip address 10.10.10.2 255.255.255.0

 vrrp 1 ip 10.10.10.254

 vrrp priority 120

!

interface vlan 20

 ip address 10.10.10.2 255.255.255.0

 vrrp 1 ip 10.20.20.254

 vrrp priority 110

Written by: Dylan van Oudheusden

« Terug

Scroll naar boven