07-13-2022 11:07 PM
we have a problem with a VM-Ware installation.
Windows Server 2016 Hyper-V on HP Blade
An Infoblox NIOS 8.6.2 VM appliance is used.
Infoblox NIOS is Linux based and uses VRRP to enable HA.
There are four Ethernet interfaces, of which only the second and third are used.
Ethernet 2 is the LAN1 of the Infoblox NIOS VM
Ethernet 3 is the HA of the Infoblox NIOS VM
Ethernet 1 and 4 are currently not connected.
In order to enable VRRP, the interfaces are allowed to carry out "MAC spoofing".
After setting up the VM, without configured HA and VRRP, only LAN1 (Ethernet 2) can be reached via LAN1. (IP 10.156.96.14)
The configuration is then changed to an HA configuration via the Infoblox's WebUI.
The following data is used for this:
LAN1 (Ethernet 2) IP: 10.156.96.14 /24
HA (Ethernet 3) IP: 10.156.96.15 /24
VRRP VIP on HA: 10.156.96.9 /24
VRRP MAC: 00-00-5E-00-01-15 (on HA - Ethernet 3)
After a necessary restart of the VM, the VRRP-VIP on the HA (Ethernet 3) cannot be reached from the outside.
A ping works locally and also a view of the interface shows the packets arriving and being sent (> show interface on the CLI of the NIOS VM)
A started tcpdump shows on the HA (Ethernet 3) that only broadcast and multicast packets arrive. (> set expert mode then > tcpdump -i eth2 on the CLI of the NIOS VM)
A ping from another device in the same network to the VRRP VIP (10.156.96.9) is not visible in the tcpdump.
The assumption IS that the data packets are not forwarded to the VRRP MAC of the Infoblox VM.
Since only the HP blade switch has not yet been ruled out here, the next step is to clarify where the packets are lost.
My guess is that the VRRP MAC of the Infoblox is not allowed at one point and therefore the packets are not forwarded.
HA with two virtual Infoblox appliances -> no problems. So we can rule out the vSwitch
HA with two physical Infoblox appliances -> no problems. So we can rule out the Aruba infrastructure.
Thanks in advance
07-29-2022 03:10 AM
When you enabled "Mac spoofing" are there any other security options since you are using Hyper-V?
For VMware, you need to accept "Mac address changes" and "Forged transmits".
What are the security settings you have enabled?
Also, below is the screenshot of the configuration table for HA. Could you please provide the same table from your end?