HSRP w/ More than 255 Vlans

Answered Question
Jun 17th, 2007
User Badges:
  • Bronze, 100 points or more

Question regarding HSRP. In all the implementations I've done, I used a different group for each instance. So Vlan1 would use group 1, Vlan2 uses group 2 and so on.


I recently took over a network where they have more than 255 Vlans, and are running HSTP with everything in group 0.


Are there any ill effects that can happen from this?


interface Vlan241

ip address 192.168.241.2 255.255.255.0

no ip redirects

ip pim sparse-dense-mode

standby ip 192.168.241.1

standby timers 1 3

standby priority 110

standby preempt delay minimum 60

standby 241 preempt

!

interface Vlan242

ip address 192.168.242.2 255.255.255.0

no ip redirects

ip directed-broadcast 100

ip pim sparse-dense-mode

standby ip 192.168.242.1

standby timers 1 3

standby priority 110

standby preempt delay minimum 60

standby 242 preempt

!

Correct Answer by wochanda about 9 years 11 months ago

Since most of the switches we ship are limited in the number of HSRP groups you can configure, this is a perfectly normal configuration.


This does open you up to a potentially bad problem, however, which happens whenever the VLANs are accidently bridged together (usually by a cable linking them together). Before the VLANs can talk to each other, each VLAN (broadcast domain) has probably 2 HSRP-speaking devices on it, of which one will be active. When the VLANs are bridged together, all of a sudden 4 HSRP devices (routers) are within broadcast range of each other, so they start to hear each others hello's. Since HSRP only uses group # to decide who should be active, only 1 of the 4 routers of our new broadcast domain will become active, leaving the PC's on one of the VLANs without a default gateway (both will be in standby).


If you can keep people from plugging cables between access ports in each VLAN, though, this'll work perfectly :).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.

Hello!

The previous Config seems useless cause u have the 2nd switch acts as standby mode for Vlan 242 and so one. e.g the Load is on the 1st switch the second switch saty without work until the the 1st switch goes down.

i would suggest the following:

1)if Ur switch support GLBP Go with it to do load balence across all vlans

2)if u will go with HSRP Try to mak switch1 Root primary for Vlan 254 and on the Switch 2 root secondary for Vlan 254 as well as vlan 254 primary on the switch 2 and root secondary on switch 1.I Mean manula Traffic Sharing

10xs

glen.grant Sun, 06/17/2007 - 11:21
User Badges:
  • Purple, 4500 points or more

We don't have that many but we run about 80 vlans all in standby group 1 and it works fine . You load balance by configuring which side is the active side and setting your spanning tree correspondingly .

johnnylingo Mon, 06/18/2007 - 07:39
User Badges:
  • Bronze, 100 points or more

Thanks, I guess that's the information I needed. I don't see any reason why it wouldn't work, but just was curious if I'm missing something.

Correct Answer
wochanda Mon, 06/18/2007 - 12:51
User Badges:
  • Silver, 250 points or more

Since most of the switches we ship are limited in the number of HSRP groups you can configure, this is a perfectly normal configuration.


This does open you up to a potentially bad problem, however, which happens whenever the VLANs are accidently bridged together (usually by a cable linking them together). Before the VLANs can talk to each other, each VLAN (broadcast domain) has probably 2 HSRP-speaking devices on it, of which one will be active. When the VLANs are bridged together, all of a sudden 4 HSRP devices (routers) are within broadcast range of each other, so they start to hear each others hello's. Since HSRP only uses group # to decide who should be active, only 1 of the 4 routers of our new broadcast domain will become active, leaving the PC's on one of the VLANs without a default gateway (both will be in standby).


If you can keep people from plugging cables between access ports in each VLAN, though, this'll work perfectly :).

wochanda Mon, 06/18/2007 - 12:53
User Badges:
  • Silver, 250 points or more

I probably should have mentioned that if, in the above case, you were using 2 different HSRP group #'s, the extra HSRP hello's would have been ignored by the other group, and everyone still would have had a gateway. Of course, now, its harder to tell when your VLANs are bleeding into each other.

johnnylingo Mon, 06/18/2007 - 12:58
User Badges:
  • Bronze, 100 points or more

My gut was telling me there was a potential issue with this configuration, and you nailed it. I'm planning to roll out BPDUGuard and port-security to have a control over unauthorized bridged being plugged in to the network, so hopefully that will be an acceptable safeguard against HSRP and other multicast applications getting hosed.


Thanks for the post - 5 stars!



Actions

This Discussion