HSRP/STP Design Question

Unanswered Question
Dec 18th, 2008

see attachment - I have 3 switches. 2 core and 1 access layer. access1 connected to both cores via a single dot1q trunk. vlan 175 active on all switches. according to spanning-tree the root port (gi0/1) is towards CORE1 on access1 and blocking port (gi0/2) to CORE2. the problem is when the HSRP state changes between the CORES, say CORE2 is now the active HSRP peer, spanning-tree topology stay the same and traffic from access1 to CORE1 is blackhole. access1 cannot no longer access anthing on the network and the mac address for is still pointing to CORE1 via gi0/1. any suggestions how to rectify this behaviour?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Thu, 12/18/2008 - 08:08

You may want to configure spanning-tree backbonefast on both cores, and spanning-tree uplinkfast on your access switch.

You just enable both at the prompt (if you haven't already done so. It helps with convergence time from a failure.



francisco_1 Thu, 12/18/2008 - 08:11

already part of the configs. I need to know how to influence spanning-tree when HSRP state changes if possible.


Jon Marshall Thu, 12/18/2008 - 08:10


This is a standard L2 -> L3 design. If the HSRP gateway changes to CORE 2 then traffic should just go from access1 to CORE1 across the L2 trunk to CORE2. Traffic should not be blackholed.

Either something else is happening when the HSRP gateway swaps over that you are not registering ie. what is making the gateway fail over.

Is the trunk link between the 2 core swithes allowing vlan 175 ?


francisco_1 Thu, 12/18/2008 - 08:13

yeah the trunk is allowing vlan 175. when CORE2 becomes the active, from access1 the port towards CORE1 is still in forwarding state and cannot ping any other vlans from access1.



spanning-tree vlan 175 8192

interface Vlan175

description ServerManagement_Vlan

ip address

no ip redirects

arp timeout 300

standby 175 ip

standby 175 timers 1 3

standby 175 priority 115

standby 175 preempt delay minimum 60

standby 175 authentication secret

Interface Grp Prio P State Active addr Standby addr Group addr

Vl175 175 115 Active local


spanning-tree vlan 175 16384

interface Vlan175

description NetworkManagement_Vlan

ip address

no ip redirects

arp timeout 300

standby 175 ip

standby 175 timers 1 3

standby 175 priority 110

standby 175 preempt

standby 175 authentication secret

Interface Grp Prio P State Active addr Standby addr Group addr

Vl175 175 110 Standby local

Jon Marshall Thu, 12/18/2008 - 08:20

You need to look at your STP when this happens. Which port as blocked and which are active.

I'm assuming the other vlans are connected to both switches and they too are running HSRP ?

I have used this design in so many networks. It shouldn't matter that the HSRP active and STP root don't match, that is what the L2 trunk between the cores is for.

Can you confirm what happens to that L2 trunk when the HSRP gateway switches across.


francisco_1 Thu, 12/18/2008 - 08:24

HSRP active for the other vlans.

The way i tested it was to shut down the vlan 175 on CORE1 and CORE2 became the active. even though the VLAN 175 is down, the access1 and CORE1 still exchanging BPDU's on gi0/1 from acecss1 so STP still use that port as forwarding and i can still see the vlan 175 mac address on gi0/1 towards CORE1

Jon Marshall Thu, 12/18/2008 - 08:31

Yes, that's fine. It still should work. When you say shutdown the vlan you mean shut down the L3 vlan interface on CORE1 ?


francisco_1 Thu, 12/18/2008 - 08:31


i dont think there is any interaction between STP and HSRP.


Jon Marshall Thu, 12/18/2008 - 08:49

When you shut down vlan 175 interface on CORE1 -

1) what address are you trying to ping from access1

2) when you do "sh spanning-tree vlan 175" on both CORE switches what are they showing.

3) what do the arp and mac-address tables show on CORE1/CORE2 and access1


francisco_1 Thu, 12/18/2008 - 08:54


let me collect all the information and i will let you know.


md farook Fri, 12/19/2008 - 06:38


First you remove the preempt comaand from CS_02. keep it only on CS_01. then check with output.and one more thing there is no connection between HSRP and STP both are work differently.

viyuan700 Fri, 12/19/2008 - 13:39

Just want to add an expereince of mine with HSRP i will try to test it again maybe if can help you.

In HSRP i defined the tracking of an interface. To check i shutdown the interface instead of pulling out the cable. I was not able to ping(i dont remember whether state was changed or not). Then i pulled the cable instead of shuting down the interface. The link was working.So for HSRP shut down that interface has different meaning then pulling out the cable.

You are also testing by shutting down the vlan 175, it doesnot mean that link is down as trunk can carry all vlan(if allowed) so your Gi0/1 is exchanging BPDU if there is still traffic over it.

If it is NOT YOUR PRODUCTION NETWORK u can test by pulling out the cable whether the setup behaves in the same way.

I have 2600 router will try to test the same thing. If i am able to test before you will let you know.

passioncas Mon, 12/22/2008 - 01:02

please let me know how the HSRP state changes ? Based on that the STP design can be tracked

passioncas Mon, 12/22/2008 - 01:50


Both the STP and HSRP working diferently.Even though the Core-2 is active, the packet has to come to Core-1 and then Core-2.If its not happening , then check all the VLANs are allowed on the trunk between Core-1 and Core-2.Ideally it should work.


This Discussion