03-04-2009 04:42 PM - edited 03-04-2019 03:48 AM
Hi.
At work we setup a redundant envirronemnt with two Layer 3 switches connected to two ASA's. The switches have 4 VLAN's each. If SWitch02 is not setup with the VLAN's as interfaces and an IP address, then if Switch01 fails then the servers on the VLAN's will not go out in the IPMAN. When I setup the VLAN's on Switch02 with the same VLAN ip addresses as Switch01 then the servers can get out but obviosuly I get the message of Duplicate VLANs. I have tried seting up Server Client and vtp but that does not work. What is the correct way of dealing with something like this?
Thank you
03-04-2009 10:51 PM
You can use a redundancy protocols like HSRP, VRRP or GLBP which are built for such scenarios.
IF it is a cisco better to use HSRP, since you have two ASA (which i think are running in Active standby)
HSRP configuration -
03-05-2009 03:38 PM
Hi and thanks for the reply.
We did test with HSRP but we still get the duplicate error. Also, it's not worth seting up HSRP in our case because one of the switches will be totally wasted. The only thing that I though is "that's just the way it is" and there's nothing you can do about the duplcate errors. I mean it's not causing any failures as such.
Reegards,
Harry
03-05-2009 09:12 PM
When using HSRP, if you get the duplicate IP detected error, then you will need to check your spanning tree topology, as there might be a temporary loop which might be causing this issue.
You can make use of mHSRP to do loadbalancing so that one switch will not get wasted completely.If you have multiple VLAN's then u can setup HSRP being active in one switch for one VLAN and other switch for other VLAN. Although if you are using ASA as active failover, it wont help much as the traffic still flows to active ASA through one of the switch.
03-12-2009 03:57 PM
Hi.
Thank you for the reply.
Do you think that a duplicate error messages can cause any "real" problems? If there's a temporary loop how can that be fixed?
Thank you
03-12-2009 04:45 PM
Harry
Not sure i understand about a switch being wasted. What you do with HSRP is -
subnet = 192.168.5.0/24
Assuming this is vlan and you have created the vlan at Layer 2 ie. a "sh vlan" show vlan 10
Also assuming your 2 switches are connected via a L2 trunk
switch 1
int vlan 10
ip address 192.168.5.2 255.255.255.0
standby 10 ip 192.168.5.1
standby 10 priority 100
standby 10 auth
switch 2
int vlan 10
ip address 192.168.5.3 255.255.255.0
standby 10 ip 192.168.5.1
standby 10 priority 110
standby 10 auth
If you use the above config as a template you should not get duplicate IP address errors.
Jon
03-12-2009 04:57 PM
Hi.
Thank you for the reply.
Ok, I'll give you a picture of what we've done.
We have two ASA's. We use failover.
We have two Layer 3 switches with ip routing enabled connected to the ASA's. Switch01 connected to ASA01 and Switch02 connected to ASA02.
Connected to Switch 01 are Switch03 and Switch04. Also connected to Switch02 are Switch03 and Switch04. There's also an etherchannel between Switch01 and Switch02.
On Switch01 and Swith02 there are 3 VLANs with the configuration âint vlan 10, ip add xx.xxx.xxx etcâ. Now this configuration must be the same on Switch02 because if it's not then when Switch01 goes down then there are no VLANs interfaces and the servers will not be able to go out. On Switch03 and Switch04 the VLANs are configured on specific ports .e.g. âswitchport access vlan 10â.
When we did setup HSRP the duplicate problem was still there. We would like to avoid the HSRP setup though.
So, is there a way -except HSRP- to avoid those errors? So far the errors are not causing any "real" issues. How redundancy is setup up with VLAN's? I mean, I really don't see another way except the way we have set it up already. If the VLAN interface are not configured on Switch02 then redundancy is gone. It's a funny one.
Thanks for the replies.
Harry
03-12-2009 05:17 PM
Harry
Have a look at my previous post. Notice that
switch 1 vlan 10 interface has an IP address of 192.168.5.2
switch 2 vlan 10 interface has an IP address of 192.168.5.3
Notice also that the same VIP (Virtual IP address) is configured on both switches ie. 192.168.5.1
So you set the default-gateway on the servers to be 192.168.5.1
One of the switches will be responsible for any traffic sent to 192.168.5.1. If that switch fails then the other switch will be responsible for 192.168.5.1. So it works as you want.
So the configuration is not exactly the same between the 2 switches. The VIP is the same but the physical addresses are different but you only tell the servers about the VIP.
It might be a good idea if you had a read of the HSRP link posted earlier.
Jon
03-12-2009 05:25 PM
Hi.
This will not work becasue even if you setup the default gateway to be the HSRP address, the server that belong to a VLAn they will look for the int vlan ip address first. I have done a traceroute and realised that it does not matter what default gateway you give the servers, if they belong to a VLAN they will use that as a first hop. And it does not work if you give two different VLAN ips' on Switch01 and Switch02, becuase the servers will always look for the VLAN on Switch01. So, e.g. if you log int to Server01 and do a traceroute to the internet it awill first use that VLAN int on Switch01. If Switch01 goes down, even if Switch02 has a VLAn interface configured, the server does not go through. That's why both switches are configured the same. Hope that makes sense. Maybe I'm doing soemthing wrong. Another thing, is that if you configure different ip address for vlans for every switch, what happens when you keep on adding switches when you gorw? There's going to be far too many addresses wasted just for VLANs.
Thank you
03-12-2009 05:30 PM
Harry
The etherchannel between the 2 switches - is it a layer 2 trunk.
If it is then HSRP will work. Trust me, i have setup HSRP on switches more times than i can count. If you are finding that switch1 goes down and then the servers cannot get out then either
1) you have configured HSRP incorrectly
OR
2) your servers are only connected to switch1. Obviously with HSRP and redundnacy you need your servers to be connected to both switches.
Perhaps you could draw out a network diagram so we can understand your layout more accurately.
Jon
03-12-2009 05:40 PM
Hi Jon,
I don't think you can setup HSRP incorrectly. It's far too simple to get it wrong. Anyway, our servers are connected to both switches. There's a full redundancy. the Virtual Servers will be connected to Switch01 and Switch02 (double NIC) and the rest to Switch03 and Switch04 (double NIC).
Please see attachemnt for netwrok Diagram.
Thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: