Hi Giuseppe/Jon

Thanks for the the great information. I uploaded a new LAN design.

Switching

Jon,

If I decided to go for a L3 etherchannel link and HSRP for redundancy, the network design for the

customer will have approx 20 access switches (3750 stacks and 3560). Will the HSRP traffic for this

amount of access switches cause a problem? Will the HSRP traffic go down all L2 paths?

Routing

Giuseppe,

Regard the routing I have re-designed the network with L3 links (VLAN 30) between the

core (6509) and router (2821).

Can you give me an example how to configure HSRP/eigrp for both routers and core swithes.

as you described below. Sorry I'm dont have mush experience with routing.

"You can make preferred 6509_1 by increasing delay on Vlan 30 SVI on 6509_2.

the same you can do on C2821_2"

Thanks,

Colm

Colm

Yes the HSRP traffic would go down all L2 paths where there is a path from one 6500 to another via the access-layer.

No it should not cause a problem as HSRP multcast packets are very small and indeed this is one of Cisco's recommended designs.

There is nothing wrong with L2 between your switches but L3 is also a good choice.

Jon

Hello Colm and Jon,

I was meaning the layer two trunk to be between the two C6509 not only with access-layer switches: I'm sorry if it was unclear.

About the vlan 30:

One possible design is to use a single Vlan 30 that spans on C6509_1, C2821_1, C6509_2,C2821_2,

another design could be that of using two Vlans

Vlan 30 allowed only on link C6509_1 - C_2821_1

Vlan 31 allowed only on link C6509_2 - C_2821_2

This could make HSRP tracking easier: it is a feature that provides HSRP some knowledge of what happens: it tracks the state of Vlan 30 (on C6509_1) and of Vlan 31 (on C6509_2) so that if it fails the HSRP priority is reduced and active HSRP router becomes C6509_2.

About EIGRP routing:

EIGRP metric is cumulative on delay as seen in the show interface of L3 links on path to destination.

And proportional to the inverse of lowest BW on path

So in your case

let's suppose we use a single backbone vlan 30

as in your drawing

C6509_2

int Vlan 31

delay 10000

int Vlan 10

delay 10000

int Vlan 20

delay 10000

C2821_2

int f0/0

desc link to C6509_2

delay 10000

! this actually is not effective from the point of view of C6509_1

! it is outgoing metric to be added

So my suggestion is to use two backbone Vlans Vlan 30 and Vlan 31

in this way:

C6509_1 will be the preferred incoming point for its better metrics to client subnets Vlan 10 and vlan 20

for HSRP:

one group on each client vlan with tracking of the backbone vlan

Cat6509_1

int vlan 10

standby 10 ip address 192.168.1.1

standby 10 priority 105

standby 10 prempt

standby 10 track vlan30

the same with different group number and appropriate ip address for vlan 20

on C6509_2

int vlan 10

standby 10 ip address 192.168.1.1

standby 10 prempt

standby 10 track vlan31

the default priority is 100 if vlan30 fails on C6509_1 its pri becomes 105-10 = 95 C6509_2 thanks to preempt takes over on all HSRP groups.

! on C6509_1:

router eigrp 100

network 192.168.1.0

network 192.158.2.0

network 192.168.3.0

no auto-sum

! network commands for all vlans and for the connected backbone vlan

! on C6509_2

router eigrp 100

network 192.168.1.0

network 192.158.2.0

network 192.168.31.0

no auto-sum

! very important EIGRP AS number 100 in example must match in all routers (be the same)

on all trunks :

permit all vlans with the exception of vlans 30 and 31 the backbone vlans

Hope to help

Giuseppe

Hi Giuseppe,

The above post and explanation and been very helpful for my understanding the advantage of using HSRP for redundancy in the L2 and L3 network.

Attached is the configuration I will be applying for C2821_1, C2821_2, C6509_1, C6509_2 devices

Can you confirm that the configuration is ok and this will achieve full redundancy for L2 & L3 links.

Updated LAN diagram attached

configs

Hello Colm,

some little notes:

C6509_1:

add standby track 20 vlan30 within int Vlan 20

I would make C6509_1 root bridge also for vlan 20:

spanning-tree vlan 20 root secondary

I would change it in

spanning-tree vlan 20 root primary

C6509_2

change to:

spanning-tree vlan 20 root secondary

on all interface you could modify the delay: to find the right value to use take the sh int vlan 10 and look at the delay then configure a value ten times bigger

suppose you read 1000 microseconds then

int vlan 10

delay 10000

int vlan 20

delay 10000

int vlan 40

delay 10000

It is possible to work well even without these commands: only there is a chance that some node can load balance traffic for Vlan 10 and Vlan20 on the two paths C2821_1 -- C6509_1 and C2821_2 --- C6509_2.

Most of network designs accept this so the delay part is optional and only needeed when the next-hop device is a FW and needs to see traffic flows in both directions.

HSRP tracking of SVI Vlan30 and Vlan40 works well if only one physical interface is associated to each of them.

An alternate way that provides this is to configure the port as routed port

so instead of using vlan30 and vlan40 you can:

suppose g2/1 is link on C6509_1 to C2821_1

int g2/1

no switchport

ip address 192.168.3.2 255.255.255.0

then you change tracking target as

int vlan 10

standby 10 track g2/1

int vlan 20

standby 20 track g2/1

And you can do the same on C6509_2.

So if a new trunk allowing all Vlans is created later HSRP tracking will still work.

Hope to help

Giuseppe

Hi Giuseppe,

I have decided not to use vlan 30 & vlan 40 on the two core switches, instead I will user a routed port on G2/1 on both cores. HSRP will then monitor this port. (configs uploaded)

When using a routed port will I still need vlan 30 on the 6509_1?

!6509_1

int g2/1

desc "link to 2821_1"

ip address 192.168.3.2 255.255.255.0

vlan 30

name

Management VLan ( Enquiry)

The customer is now looking to use a management VLAN for all switches and routers (corporate). With the design to date will this be a good idea to use a flat network? Below is the IP addressing scheme wanted by the customer.

VLan 100

desc "MGMT"

!2821_1

192.168.100.252/24 !-link to 6509_1

!6509_1

int vlan 100

ip address 192.168.100.2

stanby ip address 192.168.100.1

!2821_2

192.168.100.253/24 !-link to 6509_2

!6509_2

int vlan 100

ip address 192.168.100.3

stanby ip address 192.168.100.1

Thanks again,

Colm

Hello Colm,

thanks for your good remarks

if you use routed ports vlan30 and vlan40 are no longer needed so you don't need to create them even as L2 entities.

I would add a separate vlan like vlan 100 for management of network devices inside the campus network: it is a good choice to avoid to have the management ip addresses of switches in the client vlans and also I suggest don't use vlan1 for management.

For example you can limit access to vlan100 to NOC users with an ACL so that users in vlan10 and vlan20 cannot access the switches.

L3 separation provides means to make secure the network and also to implement policies that now are not required but could be in the future.

So I would propose the customers two client vlans, one management vlan for the campus block, L3 links to connect campus to backbone.

What now looks like a useless complexity is the base for making changes easier in the future.

if the backbone vlan arrives at access layer switches EIGRP hellos are propagated to devices that don't need to receive them.

If you are asked to introduce VoIP you likely will need additional subnets for example.

The scenario you have built can scale up to different vlans as needed it is just enough to create the l2 vlans, assign unused IP subnets and advertise them in EIGRP adding a network command.

Hope to help

Giuseppe

Hi

Management VLAN.

Attached is the new proposed LAN required by my customer.

Q.Can HSRP be used for tracking a routed port when on the same L2 VLAN?

Q.I would like to keep the same network design used for tracking L3 routed ports on the core switches but customer wants all devices on the management vlan. Is this possible?

Q.Using this flat Management Vlan between all switches and backbone router, will this cause problems?

Will I have to change the configuration for eigrp routing on all backbone devices by using his new design.

Please advise.

Thanks,

Colm

Hello Colm,

first of all you cannot have a routed port with an ip address that overlaps with SVI ip address for vlan 100

you need to use a L2 link to 2821 and you miss the chance to use tracking of SVI that now is used in multiple L2 links and trunks.

In this case you need to use a more advanced feature that is object tracking or you can track the state of the L2 port to C2821_1 (this should be possible I didn't test this but I've seen it proposed in other posts).

So the idea is to track L2 ports to C2821.

2)

No real problems but EIGRP hellos will travel in the campus to access layer switches that don't run it. No real issue but you are going to build adjacencies between all L3 devices in vlan 100: C6509_1, C2821_1, C6509_2, C2821_2.

3)

using the flat becomes natural to have C2821 to advertise the net with the network command that is needed to build adjacencies with core switches.

Here the question is to decide where the campus block ends: if 2821s are to be part of it this leads to have them in vlan100.

Hope to help

Giuseppe