No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

VRRP group remains master on both NE40E routers

Publication Date:  2013-04-01 Views:  36 Downloads:  0
Issue Description
VRRP group remains master on both NE40E routers, while NE40E-1 is configured to be the MASTER and NE40E-2 backup. Both routers are running under version NE40E&80E V600R001C00SPCe00 and connection between routers are made by two S9300 switches, according to the following topology:



No alarm information were shown on display logbuffer, display trapbuffer or display alarm all, however, if command display vrrp command was run on both routers, we could see that they were working as MASTER at the same time:

NE40E-1:

  GigabitEthernetX/X/X | Virtual Router 31
    State : Master
    Virtual IP : 109.176.212.152
    PriorityRun : 110
    PriorityConfig : 110
    MasterPriority : 110
    Preempt : YES   Delay Time : 0
    TimerRun : 1
    TimerConfig : 1
    Auth Type : NONE
    Virtual Mac :  0000-5e00-011f
    Check TTL : YES
    Config type : normal-vrrp
    Config track link-bfd down-number : 0

NE40E-2

  GigabitEthernetX/X/X | Virtual Router 31
    State : Master
    Virtual IP : 109.176.212.152
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 100
    Preempt : YES   Delay Time : 0
    TimerRun : 1
    TimerConfig : 1
    Auth Type : NONE
    Virtual Mac :  0000-5e00-011f
    Check TTL : YES
    Config type : normal-vrrp
    Config track link-bfd down-number : 0
Handling Process
Checking the configuration of uplink interfaces on S9300 switches, it was found out that both interfaces had port security configured:

interface GigabitEthernetX/X/X
(configuration suppressed)
 port-security enable
 port-security protect-action shutdown
 port-security max-mac-num 3

Performing tests in lab environment, port security was removed from S9300´s uplink interfaces and problem was solved.
Root Cause
Due the port security configuration, virtual MAC address was being handled as a secured MAC address and not being released by the switches. Since Virtual MAC address has to "float" between both routers, this configuration was avoiding this behavior.
Solution

Delete port security configured on uplink interfaces.

Suggestions

For this kind of topology, port security configuration on uplink interfaces is not suggested.

END