Posted on March 8, 2021 9:03 am
 |  Asked by Guohong Zhou
Print Friendly, PDF & Email


I’m deploying 7280QR MLAG to replace stacked devices, but hit the hardware limitation of 16 unique virtual MAC addresses.(

For LAG links, MLAG with VARP is used. For non-LAG links, VRRP is used. The count of VRRP groups is 25.

I did a test with vEOS to verify the feasibility of replacing VRRP with VARP. The pinging succeeded between hosts.Please find the attachment for details. I’m not sure it will work well in production network. Could someone please tell me what the risk is. Thanks.

Answered on March 8, 2021 9:44 am
Hi Guohong Zhou.
In general, using VARP should be straightforward, something to keep in mind is that considering that the virtual MAC (vMAC) will change, you need to make sure the hosts within the network will update their ARP cache with the new information. By default, VARP (ip virtual-router) will send GARPs every 30 seconds, so you could consider reducing this interval when performing the migration to speed up the ARP cache update.
Also, keep in mind that if the hosts do not accept GARPs, the ARP entry on these hosts would take some time (depending on the ARP timeout) to get updated.
It is probably a good idea to discuss this with the SE for your account so he/she can review your requirements and suggest the best approach for your particular environment.
Marked as spam
Posted by Guohong Zhou
Answered on March 8, 2021 1:33 pm

Hi Diogo,

Thanks for your answer. Could you please explain why vMAC will change? I configured 'ip virtual-router mac-address 00:1c:73:00:00:01'.

Answered on March 8, 2021 1:37 pm

Hi Guohong.

Sorry, I assumed the vMAC would be changed as well. In case you are using the same MAC address for the gateway, there should be no problem in regards to the ARP cache update.

Posted by Guohong Zhou
Answered on March 9, 2021 8:59 am

Hi Diogo,

Thanks. I'd like to mention that the scenario what I say is no MLAG port-channel between the leaf and the pair of spines(MLAG peers). Does what you say still apply to this situation?

I opened a case and got answer from TAC - "If there is no MLAG port-channel between the spines and the leafs, then we will see mac address flaps on the leaf device. This is because there will be garp messages sent from both the spines towards the leaf every 30 seconds , these flaps can be avoided if it is an MLAG interface ( since the mac will be learnt on a single interface in this case )."

Posted by Alexis Dacquay
Answered on March 9, 2021 9:47 pm

Your VARP config look fine.
However, I am a bit surprised why L2 has two uplinks outside a LAG. It means you would have 1 link blocking (assuming the MLAG pairs are the root).
Would you not prefer avoiding STP convergences in case of link failure, and have active-active uplinks (more throughput), like for L1?

What constraints do you have that forces you to do that?


Posted by Guohong Zhou
Answered on March 10, 2021 1:04 am

Hi Alexis,

Actually I'm deploying a migration from a stacked core to a pair of 7280Rs for my customer. The legacy links between the pair of firewalls (deployed in HA) and the core switch are not bundled. The limitation of 16 unique MAC addresses will be exceeded if I use VRRP. So I raised this question because all VARP groups consume only one vMAC.

Posted by Mark Mett
Answered on March 16, 2021 12:11 pm

If I'm reading this right then your 2 routers now have "NAT", "WAN" and "Monitor" interfaces, is that right?

What happens to traffic if the "Monitor" connection breaks?

Have you tested what happens when the master router recovers?

Post your Answer

You must be logged in to post an answer.