HSRP/STP Design Question

Unanswered Question
Dec 18th, 2008
User Badges:
  • Gold, 750 points or more

see attachment - I have 3 switches. 2 core and 1 access layer. access1 connected to both cores via a single dot1q trunk. vlan 175 active on all switches. according to spanning-tree the root port (gi0/1) is towards CORE1 on access1 and blocking port (gi0/2) to CORE2. the problem is when the HSRP state changes between the CORES, say CORE2 is now the active HSRP peer, spanning-tree topology stay the same and traffic from access1 to CORE1 is blackhole. access1 cannot no longer access anthing on the network and the mac address for 192.168.175.254 is still pointing to CORE1 via gi0/1. any suggestions how to rectify this behaviour?


Francisco.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Thu, 12/18/2008 - 08:08
User Badges:
  • Purple, 4500 points or more

You may want to configure spanning-tree backbonefast on both cores, and spanning-tree uplinkfast on your access switch.


You just enable both at the prompt (if you haven't already done so. It helps with convergence time from a failure.


HTH,


John

francisco_1 Thu, 12/18/2008 - 08:11
User Badges:
  • Gold, 750 points or more

already part of the configs. I need to know how to influence spanning-tree when HSRP state changes if possible.


Francisco.

Jon Marshall Thu, 12/18/2008 - 08:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Francisco


This is a standard L2 -> L3 design. If the HSRP gateway changes to CORE 2 then traffic should just go from access1 to CORE1 across the L2 trunk to CORE2. Traffic should not be blackholed.


Either something else is happening when the HSRP gateway swaps over that you are not registering ie. what is making the gateway fail over.


Is the trunk link between the 2 core swithes allowing vlan 175 ?


Jon

francisco_1 Thu, 12/18/2008 - 08:13
User Badges:
  • Gold, 750 points or more

yeah the trunk is allowing vlan 175. when CORE2 becomes the active, from access1 the port towards CORE1 is still in forwarding state and cannot ping any other vlans from access1.




configs


Core1



spanning-tree vlan 175 8192


interface Vlan175

description ServerManagement_Vlan

ip address 192.168.175.253 255.255.255.0

no ip redirects

arp timeout 300

standby 175 ip 192.168.175.254

standby 175 timers 1 3

standby 175 priority 115

standby 175 preempt delay minimum 60

standby 175 authentication secret


Interface Grp Prio P State Active addr Standby addr Group addr

Vl175 175 115 Active local 192.168.175.252 192.168.175.254




Core2


spanning-tree vlan 175 16384


interface Vlan175

description NetworkManagement_Vlan

ip address 192.168.175.252 255.255.255.0

no ip redirects

arp timeout 300

standby 175 ip 192.168.175.254

standby 175 timers 1 3

standby 175 priority 110

standby 175 preempt

standby 175 authentication secret


Interface Grp Prio P State Active addr Standby addr Group addr

Vl175 175 110 Standby 192.168.175.253 local 192.168.175.254


Jon Marshall Thu, 12/18/2008 - 08:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

You need to look at your STP when this happens. Which port as blocked and which are active.


I'm assuming the other vlans are connected to both switches and they too are running HSRP ?


I have used this design in so many networks. It shouldn't matter that the HSRP active and STP root don't match, that is what the L2 trunk between the cores is for.


Can you confirm what happens to that L2 trunk when the HSRP gateway switches across.


Jon

francisco_1 Thu, 12/18/2008 - 08:24
User Badges:
  • Gold, 750 points or more

HSRP active for the other vlans.


The way i tested it was to shut down the vlan 175 on CORE1 and CORE2 became the active. even though the VLAN 175 is down, the access1 and CORE1 still exchanging BPDU's on gi0/1 from acecss1 so STP still use that port as forwarding and i can still see the vlan 175 mac address on gi0/1 towards CORE1

Jon Marshall Thu, 12/18/2008 - 08:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Yes, that's fine. It still should work. When you say shutdown the vlan you mean shut down the L3 vlan interface on CORE1 ?


Jon

francisco_1 Thu, 12/18/2008 - 08:31
User Badges:
  • Gold, 750 points or more

yes


i dont think there is any interaction between STP and HSRP.



Francsico.

Jon Marshall Thu, 12/18/2008 - 08:49
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

When you shut down vlan 175 interface on CORE1 -


1) what address are you trying to ping from access1


2) when you do "sh spanning-tree vlan 175" on both CORE switches what are they showing.


3) what do the arp and mac-address tables show on CORE1/CORE2 and access1


Jon

francisco_1 Thu, 12/18/2008 - 08:54
User Badges:
  • Gold, 750 points or more

Jon,


let me collect all the information and i will let you know.



Francisco

md farook Fri, 12/19/2008 - 06:38
User Badges:

Hi,


First you remove the preempt comaand from CS_02. keep it only on CS_01. then check with output.and one more thing there is no connection between HSRP and STP both are work differently.

viyuan700 Fri, 12/19/2008 - 13:39
User Badges:
  • Silver, 250 points or more

Just want to add an expereince of mine with HSRP i will try to test it again maybe if can help you.


In HSRP i defined the tracking of an interface. To check i shutdown the interface instead of pulling out the cable. I was not able to ping(i dont remember whether state was changed or not). Then i pulled the cable instead of shuting down the interface. The link was working.So for HSRP shut down that interface has different meaning then pulling out the cable.


You are also testing by shutting down the vlan 175, it doesnot mean that link is down as trunk can carry all vlan(if allowed) so your Gi0/1 is exchanging BPDU if there is still traffic over it.


If it is NOT YOUR PRODUCTION NETWORK u can test by pulling out the cable whether the setup behaves in the same way.


I have 2600 router will try to test the same thing. If i am able to test before you will let you know.

passioncas Mon, 12/22/2008 - 01:02
User Badges:

please let me know how the HSRP state changes ? Based on that the STP design can be tracked

passioncas Mon, 12/22/2008 - 01:50
User Badges:

Hi..


Both the STP and HSRP working diferently.Even though the Core-2 is active, the packet has to come to Core-1 and then Core-2.If its not happening , then check all the VLANs are allowed on the trunk between Core-1 and Core-2.Ideally it should work.

Actions

This Discussion