HSRP: Does the virtual IP have to be in same subnet as interface IP ?

Unanswered Question
Sep 19th, 2008
User Badges:

I have a 3550 that is running layer 3, and acting as the endpoint of several incoming IP blocks, as well as the default gateway for the internal networks to get out. The remote ISP has assigned a /30 to use on the interface, and they route the blocks to our interface address. The interface looks like this : (real IPs masked)

interface Vlan829

description Level 3

ip address

I now have a 2nd 3550 to put in place to build a redundant setup. Easy enough to use HSRP for the interface/address that is the default gateway for the outbound traffic. But that inbound /30 is another matter.

Can I replace that vlan829 interface with the following ?

! primary 3550

interface Vlan829

description Level 3

ip address

standby 829 ip

! backup 3550

interface Vlan829

description Level 3

ip address

standby 829 ip

I created a test vlan interface to try it out on the single 3550 (2nd isn't in place yet). It seems to work - sh standby shows the standby group starting off in Init state, then Listen state, then Speak state, and finally Active state.

At that point, the virtual IP seems to be live and pingable. I've only ever configured HSRP to use 3 addresses within the same subnet, and that's what I'll do for the outbound default gateway interface address. But will this work for the inbound /30 ?

Thanks -


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Fri, 09/19/2008 - 19:14
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

no u need them all in the same subnet

real IPs and the virtual IP as well !!

in ur case u may put a router and connect those both switches to the router then the /30 will be on the outside router interface and on the switches u can run hsrp and for the inbound if u connect the switches directly to the router u need redundant static routes

good luck

if helpful Rate

halfwalker Fri, 09/19/2008 - 21:48
User Badges:

Hi -

Thanks, but that doesn't work. The whole point is for redundancy, and putting a router in front (aside from the expense and additional equipment) just moves the single point of failure out one step.

The inbound IP blocks are routed by the ISP to the .1 address of the pair of addresses in the /30. If the L3 switch where that is defined goes down, then regardless of the second 3550 we will still have loss of connectivity. I need a way for that endpoint address to be able to swing between the two 3550's, like HSRP.


Jon Marshall Sat, 09/20/2008 - 10:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Can you explain the connectivity between your existing 3550 and the ISP and also when you add your 2nd 3550 will you be getting a redundant connection from your ISP because if you are not and the switch that hosts the connection from your ISP goes down it doesn't matter if the address shifts to the new 3550 you will still lose connectivity.


halfwalker Sat, 09/20/2008 - 13:06
User Badges:

Hi Jon -

OK, currently we have two links from our colo ISP into the existing 3550. Those two links come in from two different ISP core switches. We run bgp between us and them (no AS of our own) to handle routing of all the IP blocks we get from the colo ISP. There are two vlan interfaces defined, each with a /30, that act as the endpoints for the incoming IP blocks.

We also have some blocks coming in from Level 3. Those come physically into one of the colo ISP ports, again using a /30 to route the blocks. There is a vlan from the remote incoming switch port and our 3550, with one of the /30 IPs on that vlan interface, basically as shown in the original post.

When I add in the 2nd 3550, we'll swing one of the colo ISP links over to it, and run a trunk between the two 3550's. I'll use HSRP to handle the outbound default gateway ip address (easy enough) between the two 3550's. Incoming traffic for our colo ISP IP blocks will be handled by bgp. It's the incoming Level 3 connection that I need to redundantize ...

Right now Level 3 just routes the blocks to our end of the /30. Since we don't have our own AS, we can't do a bgp session with them. I suppose our colo ISP could do it on our behalf, but that's asking a lot - I would rather be a little more independent.

So, given that the destination ip address for our incoming Level 3 IP blocks is in a /30, how can I best make it a redundant setup ? HSRP looks like it will do the trick, using our end of the /30 as the virtual IP. But the $64 question is ...

Do the ip addresses on each vlan interface (one per 3550) have to be in the same subnet as the virtual ip ?

They can definitely be in the same local subnet ( for example) so that they can see each other, per the example in the original post. It *looks* like it will work based on the quick test I did.



This Discussion