Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
active-gateway (VSX)
active-gateway
ip [<IP-ADDRESS>] [mac <MAC-ADDRESS>
ipv6 [<IPv6-ADDRESS>] [[mac <MAC-ADDRESS>
l3-src-mac
no ...
Description
Configures a virtual IP and virtual MAC for an interface VLAN. The extended-mac option stores MAC addresses in a supplemental table which allows configuring more than 16 virtual MAC addresses.
The no form of this command removes the active gateway for active-active routing.
This configuration will disable flow tracking statistics collection.
Parameter | Description |
|---|---|
ip | Specifies the configuration of an IPv4 address. |
<IP-ADDRESS> | Specifies the IPv4 address. Syntax: A.B.C.. |
<MAC-ADDR> | Specifies the Virtual MAC address. Syntax: xx:xx:xx:xx:xx:xx |
extended-mac | Stores the MAC address in the extended MAC table. |
ipv6 | Specifies the configuration of an IPv6 address. |
<IP-ADDRESS> | Specifies the IPv6 address. Syntax: A:B::C:D |
<MAC-ADDR> | Specifies the Virtual MAC address. Syntax: xx:xx:xx:xx:xx:xx |
extended-mac | Stores the MAC address in the extended MAC table. |
l3-src-mac | Configures the virtual gateway MAC address as the source MAC for routed packets. |
no | Negates any configured parameter. |
Usage
Before configuring active gateway, confirm that an IP address is on the SVI that is in the same subnet as the active gateway IP you are trying to configure. If an active gateway IP does not have an SVI IP with the same subnet, the CLI allows the configuration, but the active gateway IP will not be programmed in the kernel, resulting the active gateway to be unreachable.
It is highly recommended that you use an IPv6 link-local address as a gateway (VIP) on the active gateway IPv6 configuration.
If VRRP or active forwarding is configured on an SVI, active gateway cannot be configured. Active gateway with overlapping networks is not allowed. Maximum of 16 unique virtual MACs are supported in a system.
The maximum number of supported active gateways per switch is 4,000. Since a maximum of 31 secondary IPv4 addresses can be configured on an SVI, 32 IPv4 active gateways (along with the primary IPv4 address) can be configured per SVI with IP multinetting support. This support is also the same for IPv6 addresses.
The extended-mac option allows you to increase the maximum number of MAC addresses supported in the system. The following are some important points to be considered for using this option:
- The extended-mac feature has some limitations over regular active gateway MACs. Therefore, it is recommended to use the regular active-gateway MACs first.
- Maximum of 500 unique instances, containing the specified active gateway IP and MAC address as a pair can be configured.
- Configuration of
extended-maccan only be done on VLAN interfaces. - Extended MAC addresses cannot be one of the 16 MAC addresses in the regular active-gateway table.
- The mac-address matches will only match on the outer destination address of an overlay network packet, making this feature useable only in underlay environments or overlay environments where the L3 gateways using the extended-mac feature are distributed across all VTEPs.
- The extended-mac feature is mutually exclusive with the mac-lockout feature:
- If the mac-lockout entries are configured, the extended-mac configuration will fail .
- If the extended-mac entries are configured, the mac-lockout configuration will fail.
- When both mac-lockout and extended-mac options are configured through REST API, the mac-lockout configuration will take precedence and become the active feature. A log message will be displayed, explaining the conflict.
- If the mac-lockout feature is configured through REST API when the extended-mac feature is active, then the extended-mac feature will be deactivated.
If the active gateway is configured with the same IP as an SVI IP, then IPv6 DAD cannot be configured and the SVI IP cannot be changed.
The recommended order for configuring an active gateway with the same IPv6 address same as an SVI on both VSX Peers is:
- IPv6 active gateway configuration
- SVI IPv6 address configuration
If the configuration is applied in a different order, it may result in a DAD status of DUPLICATE. To remove the DUPLICATE status of the SVI IP address, perform a shutdown and no shutdown on the interface.
Do not use peer system MAC address as an active-gateway VMAC. If same MAC address is used, the VSX synchronization will try to sync the configuration on secondary switch and cause traffic disruptions.
Examples
Configuring active-gateway, when the IP address is different from the SVI IP address on both VSX peers (valid for IPv4 and IPv6):
Switch 1:
switch1(config-if-vlan)# ip address 192.168.1.250/24 switch1(config-if-vlan)# active-gateway ip 192.168.1.253 mac 00:00:00:00:00:01 switch1(config-if-vlan)# active-gateway ipv6 fe80::01 mac 00:00:00:01:00:01
Switch 2:
switch2(config-if-vlan)# ip address 192.168.1.251/24 switch2(config-if-vlan)# active-gateway ip 192.168.1.253 mac 00:00:00:00:00:01 switch2(config-if-vlan)# active-gateway ipv6 fe80::01 mac 00:00:00:01:00:01
Configuring active-gateway when the IP address is the same as the SVI IP address on both VSX peers (valid for IPv4 and IPv6):
Switch 1:
switch1(config-if-vlan)# ip address 192.168.1.250/24 switch1(config-if-vlan)# active-gateway ip 192.168.1.250 mac 00:00:00:00:00:01 switch1(config-if-vlan)# active-gateway ipv6 fe80::100 mac 00:00:00:00:00:01 switch1(config-if-vlan)# ipv6 address link-local fe80::100/64
Switch 2:
switch2(config-if-vlan)# ip address 192.168.1.250/24 switch2(config-if-vlan)# active-gateway ip 192.168.1.250 mac 00:00:00:00:00:01 switch2(config-if-vlan)# active-gateway ipv6 fe80::100 mac 00:00:00:00:00:01 switch2(config-if-vlan)# ipv6 address link-local fe80::100/64
Configuring only the active gateway address:
switch(config-if-vlan)# ip address 192.168.1.250/24 switch(config-if-vlan)# active-gateway ip 192.168.1.250
Configuring only the active gateway IP MAC address:
switch2(config-if-vlan)# ip address 192.168.1.250/24 switch2(config-if-vlan)# active-gateway ip mac 00:00:00:01:00:01
Configuring the active gateway with the extended MAC usage (IPv4 and IPv6):
switch(config-if-vlan)# active-gateway ip mac 00:00:00:00:00:01 extended-mac
Warning: This configuration will disable flow tracking statistics collection.
switch(config-if-vlan)# active-gateway ipv6 mac 00:00:00:00:00:02 extended-mac Warning: This configuration will disable flow tracking statistics collection. switch(config-if-vlan)# active-gateway ip 10.0.0.2 mac 00:00:00:00:00:01 extended-mac switch(config-if-vlan)# active-gateway ipv6 fe80::100 mac 00:00:00:00:00:01 extended-macc
Removing the active gateway for active-active routing (IPv6 and IPv4):
switch(config-if-vlan)# no active-gateway ip switch(config-if-vlan)# no active-gateway ipv6
Removing the active gateway for active-active routing for an IP address:
switch(config-if-vlan)# no active-gateway ip 192.168.1.250
Removing the active gateway for active-active routing for virtual MAC addresses:
switch(config-if-vlan)# no active-gateway ip mac
When configuring the virtual active gateway for IPv6 on an SVI, it is recommended to use the same global IPv6 and active gateway IPv6 address. Similarly, if you want to use the IPv6 link-local address for the virtual active gateway then the same address should be configured for both the SVI and the active gateway.
Global IPv6 address:
switch(config-if-vlan)# ipv6 address 1001::1/64
switch(config-if-vlan)# active-gateway ipv6 1001::1
switch(config-if-vlan)# active-gateway ipv6 mac 00:00:00:00:aa:01
IPv6-Link-Local address:
switch(config-if-vlan)# ipv6 address link-local fe80::1/64
switch(config-if-vlan)# active-gateway ipv6 fe80::1
switch(config-if-vlan)# active-gateway ipv6 mac 00:00:00:00:aa:01
Configuring l3-src-mac, when only a IPv4 virtual MAC is configured, a IPv4 virtual MAC is used as a source MAC for IPv4 routed packets.
switch(config-if-vlan)# ip address 192.168.1.250/24 switch(config-if-vlan)# active-gateway ip 192.168.1.253 mac 00:00:00:00:00:01 switch(config-if-vlan)# active-gateway l3-src-mac
Configuring l3-src-mac, when only a IPv6 virtual MAC is configured, a IPv6 virtual MAC is used as a source MAC for IPv6 routed packets.
switch(config-if-vlan)# ip address 192.168.1.250/24 switch(config-if-vlan)# active-gateway ipv6 fe80::01 mac 00:00:00:01:00:01 switch(config-if-vlan)# active-gateway l3-src-mac
Configuring l3-src-mac, when both IPv4 and IPv6 virtual MACs are configured, IPv4 virtual MAC is used as source MAC for IPv4 and IPv6 routed packets. It is recommended to use the same virtual MAC when both ipv4 and ipv6 vitrual MACs are configured.
switch(config-if-vlan)# ip address 192.168.1.250/24 switch(config-if-vlan)# active-gateway ip 192.168.1.253 mac 00:00:00:00:00:01 switch(config-if-vlan)# active-gateway ipv6 fe80::01 mac 00:00:00:00:00:01 switch(config-if-vlan)# active-gateway l3-src-mac
When ipv4 and ipv6 virtual MACs are same, 8325 and 10000 switches support 512 SVIs. When ipv4 and ipv6 virtual MACs are different, 8325 and 10000 switches support 341 SVIs.
Configuration table for supported SVIs
Configuration | Platforms | Supported SVIs |
|---|---|---|
When the l3-src-mac IPv4 is configured on SVI along with the active-gateway
| 8320 | Up to 190 |
8325 and 10000 | Up to 380 | |
8360 and 6400 | Up to 384 | |
8100 | Up to 256 | |
When the l3-src-mac IPv4 and IPv6 are configured on SVI along with the active-gateway
| 8320 | Up to 165 |
8325 and 10000 | Up to 330 | |
8360 and 6400 | Up to 384 | |
8100 | Up to 256 | |
When the VSX active-forwarding, VRRP and virtual-mac features are configured | 8320, 8325,8360, 8100, 6400, and 10000 | Goes down |
Configuring l3-src-mac, when no virtual MACs are configured, the System MAC is used as source MAC for routed packets. Such configuration can generate a CLI warning as shown.
switch(config-if-vlan)# ip address 192.168.1.250/24 switch(config-if-vlan)# active-gateway l3-src-mac Warning: Active Gateway VMAC is not configured
With VSX-Sync configured, "active-gateway l3-src-mac" configuration synces to the peer device. Following configuration from vsx-primary device can get synced to vsx-secondary device.
VSX-Primary-Switch:
vsx-pri-switch(config-if-vlan)# ip address 192.168.1.250/24 vsx-pri-switch(config-if-vlan)# active-gateway ip 192.168.1.253 mac 00:00:00:00:00:01 vsx-pri-switch(config-if-vlan)# active-gateway ipv6 fe80::01 mac 00:00:00:01:00:01 vsx-pri-switch(config-if-vlan)# active-gateway l3-src-mac
For VSX-peer devices, without VSX-Sync configured, it is expected that virtual MACs and l3-src-mac configurations are identical on both devices for a given interface VLAN. If configurations don't match, each device may end up using different source MAC for routed traffic for this inteface and connectivity from connected devices to this VSX-peer devices may get affected.
VSX-Primary-Switch:
vsx-pri-switch(config-if-vlan)# ip address 192.168.1.250/24 vsx-pri-switch(config-if-vlan)# active-gateway ip 192.168.1.253 mac 00:00:00:00:00:01 vsx-pri-switch(config-if-vlan)# active-gateway ipv6 fe80::01 mac 00:00:00:01:00:01 vsx-pri-switch(config-if-vlan)# active-gateway l3-src-mac
VSX-Secondary-Switch:
vsx-sec-switch(config-if-vlan)# ip address 192.168.1.250/24 vsx-sec-switch(config-if-vlan)# vsx-sec-switch(config-if-vlan)# active-gateway ip 192.168.1.253 mac 00:00:00:00:00:01 vsx-sec-switch(config-if-vlan)# active-gateway ipv6 fe80::01 mac 00:00:00:01:00:01 vsx-sec-switch(config-if-vlan)# active-gateway l3-src-mac
Configuring l2-vlan-mac-mode flood on a VLAN interface, l3-src-mac cannot be configured. Such configuration can generate an error as shown and command will not take affect.
switch(config)# system l2-vlan-mac-mode flood switch(config-if-vlan)# ip address 192.168.1.250/24 switch(config-if-vlan)# active-gateway l3-src-mac active-gateway l3-src-mac cannot be configured when l2-vlan-mac-mode flood is configured.
Configuration table for supported SVIs
Configuration | Platforms | Supported SVIs |
|---|---|---|
When flood mode is configured
| 8320 | Less than 512 |
8325 and 10000 | Less than 1024 | |
When the active-gateway IPv4 is configured on SVI along with the flood mode
| 8320 | Up to 190 |
8325 and 10000 | Up to 380 | |
When the active-gateway IPv4 and IPv6 are configured on SVI along with the flood mode
| 8320 | Up to 165 |
8325 and 10000 | Up to 330 | |
When the VSX active-forwarding, VRRP and virtual-mac features are configured | 8320, 8325 and 10000 | Goes down |
When l3-src-mac option is unconfigured, System MAC uses as source MAC for routed traffic.
For more information on features that use this command, refer to the Virtual Switching Extension (VSX) Guide for your switch model.
Command History
Release | Modification |
|---|---|
10.14 | Added information related to role based IPFIX. |
10.12.1000 | Added the exended-mac feature support for 6400v2, 8100, and 8360v2 switches. |
10.12 | The l3-src-mac parameter supported for 6400, 8100, and 8360 switches. |
10.10 | Added the l3-src-mac parameter and command supported for 9300 switch. |
10.09.0010 | Added IPv6 support for configuration of active gateway and SVI with the same address. |
10.09 | Command supported for 10000 switch. |
10.08 | Added <MAC-ADDRESS> parameter to the no form of the command. |
10.07 or earlier | -- |
Command Information
Platforms | Command context | Authority |
|---|---|---|
5420 6300, except for S3L75A, S3L76A, S3L77A 6400 8100 8360 8325 8325H 8325P 9300 9300S 10000 | config-if-vlan | Administrators or local user group members with execution rights for this command. |
