Configuring HSRP in a Multiple Vlan environment

Answered Question
Nov 4th, 2008
User Badges:

Hi Everybody,


I was planing to have redundancy to our gateway using HSRP. the 4506 switch that we have consists of multiple vlan interfaces. I was wondering, if I could have all the interfaces in the same HSRP standby group. Or all the vlan interfaces need to have different HSRP groups? A sample configuration would help a lot.


Thanks

Arabinda

Correct Answer by Giuseppe Larosa about 8 years 6 months ago

Hello Arabinda,

I'm happy that this time md5 authentication worked

probably the best thing is to have the authentication string created and saved in a text file and to copy from it to both routers.


Hope to help

Giuseppe



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Giuseppe Larosa Tue, 11/04/2008 - 05:21
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Arabinda,

using the same group is not permitted on router Vlan subifs.

With a multilayer switch like 4506 the usage of the same group is permitted and can provide a scalability gain.

(reduced number of MAC entries in the packet flter)


In order to avoid possible problems when by accident two broadcast domains are joined I would use HSRP with authentication using a different password in each vlan.


And last but not least using HSRP requires two distinct devices to provide a real effect on redundancy.


Hope to help

Giuseppe


arabindas Tue, 11/04/2008 - 06:14
User Badges:

Hi Giuseppe,


Thanks for your response. I would configure that in lab and let you know.


We have two distinct devices for HSRP, one is the C4506 and another is a 3750G switch (2 3750 switches stacked). Hope that would give us real effect on redundancy.


Thanks

Arabinda

Edison Ortiz Tue, 11/04/2008 - 06:32
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

I was wondering, if I could have all the interfaces in the same HSRP standby group.


You sure can.



S1#sh ver | i IOS

Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(25)SEE4, RELEASE SOFTWARE (fc1)


interface Vlan4

ip address 4.4.4.4 255.255.255.0

!

interface Vlan10

ip address 10.10.10.10 255.255.255.0

!

interface Vlan40

ip address 40.40.40.40 255.255.255.0



__


adding the HSRP config:


interface Vlan4

ip address 4.4.4.4 255.255.255.0

standby ip 4.4.4.1

!

interface Vlan10

ip address 10.10.10.10 255.255.255.0

standby ip 10.10.10.1

!

interface Vlan40

ip address 40.40.40.40 255.255.255.0

standby ip 40.40.40.1


3w1d: %HSRP-6-STATECHANGE: Vlan4 Grp 0 state Standby -> Active

3w1d: %HSRP-6-STATECHANGE: Vlan10 Grp 0 state Standby -> Active

3w1d: %HSRP-6-STATECHANGE: Vlan40 Grp 0 state Standby -> Active


S1#sh stand | i Group

Vlan4 - Group 0

Vlan10 - Group 0

Vlan40 - Group 0


HTH,


__


Edison.

arabindas Tue, 11/04/2008 - 07:21
User Badges:

Hi Edison, thanks a lot for the sample config.


Hello Giuseppe,


As mentioned by you, I configured separate hsrp authentication passwords for two separate vlans 10 and 11. For one of the vlan 10, it works fine, but for the second vlan interface (vlan 11) it always error as:


" 00:25:25: %HSRP-4-BADAUTH: Bad authentication from 10.0.11.3, group 10, remote s

tate Active"


Regards,

Arabinda


John Blakley Tue, 11/04/2008 - 07:24
User Badges:
  • Purple, 4500 points or more

Make sure that you have the same type of authentication: md5 vs text on both sides.


--John

arabindas Tue, 11/04/2008 - 07:34
User Badges:

Hey John,


Instead of md5, now i have configured, simple text on both switches and now it seems to be working. Do not know why, when I had configured md5 at both sides, the problem had arised.


Thanks

Arabinda

John Blakley Tue, 11/04/2008 - 07:37
User Badges:
  • Purple, 4500 points or more

Interesting. You may want to try to set it back now. :-)


John

arabindas Tue, 11/04/2008 - 07:46
User Badges:

Hey John,


I removed all the config and reconfigured back the authentication to md5 key-string and now it works :-).


Do not know what i had missed last time.


Regards

Arabinda

Edison Ortiz Tue, 11/04/2008 - 08:01
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Often authentication fails because when entering the password a space was also entered inadvertently.


__


Edison.

Correct Answer
Giuseppe Larosa Tue, 11/04/2008 - 09:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Arabinda,

I'm happy that this time md5 authentication worked

probably the best thing is to have the authentication string created and saved in a text file and to copy from it to both routers.


Hope to help

Giuseppe



arabindas Wed, 11/05/2008 - 05:53
User Badges:

Thank you everybody for your help and suggestions.

Actions

This Discussion