iptables -t mangle -A PREROUTING -i eth0.404 -j DSCP --set-dscp-class AF41
| Pitfall | Consequence | FBSubnet Fix |
|---------|-------------|---------------|
| Same power feed for both gateways | UPS failure kills all redundancy | Place gateways on different PDUs/ATS units |
| Asymmetric stateful firewall | Dropped sessions after failover | Use stateless ACLs or sync firewall sessions |
| ARP cache timeouts | Traffic blackholed during failover | Set mac-address-table aging-time low (30 sec) |
| No link debounce | Flapping uplink triggers preempt thrashing | Configure link debounce time 200 on gateway ports |
If you are looking at a console that reads "fbsubnet l hot" and you need to resolve it, follow this step-by-step guide:
Requirement: Zero-downtime even if one router is rebooted for patching. fbsubnet l hot
FBSubnet Design:
VLAN 200 – Payment Processing IPv4: 172.22.200.0/24 HSRPv2 Group 200: Virtual IP: 172.22.200.1 Router-A priority 110 (active) Router-B priority 100 (standby) Preempt delay minimum 30 Track 1 (uplink to core): decrement 20 if downRouter-A: interface vlan200 ip address 172.22.200.2/24 Router-B: interface vlan200 ip address 172.22.200.3/24
Hosts in this subnet use .1 as default gateway.fbsubnet l hot — Quick Handbook 4
Result: During Router-A maintenance, Router-B takes over with <1 sec loss (single ping drop). Sessions remain alive due to state sync (session table replication).
A typical /24 subnet with default settings is designed for "warm" traffic—bursts of activity followed by idle periods. In an fbsubnet l hot scenario, traffic is continuous. Result : During Router-A maintenance, Router-B takes over
Common failure points:
To transition to an fbsubnet l hot architecture, you must redesign your switching fabric.