cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1093
Views
4
Helpful
16
Replies

HSRP issue

sameermunj
Level 1
Level 1

Hi

Attached is the schematic.As shown in digram am tracking fastethernet of switch 1 and decrementing the priorty to amke switch1 standby.even when fast ethernet going down priority decrementing by 10 but switch 2 not becoming ACTIVE.even when the gig 0/1 going down for primary, primary router becomes active which ideally should not be the case.

i tried giving ip directly to physical port but in that case both routers become active.

below is the config.

Primary switch

interface Vlan10

ip address 10.1.3.2 255.255.255.248

standby version 2

standby 1 ip 10.1.3.1

standby 1 priority 105

standby 1 preempt

standby 1 track 123 decrement 10

track 123 interface FastEthernet0/1 line-protocol

interface FastEthernet0/24

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10

switchport mode trunk

!

interface GigabitEthernet0/1

switchport access vlan 10

switchport mode access

Secondary switch

interface Vlan10

ip address 10.1.3.3 255.255.255.248

standby version 2

standby 1 ip 10.1.3.1

interface FastEthernet0/24

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10

switchport mode trunk

!

interface GigabitEthernet0/1

switchport access vlan 10

switchport mode access

16 Replies 16

Jon Marshall
Hall of Fame
Hall of Fame

If you want the second switch to take over then you need to configure it with preempt or it won't no matter what HSRP priority you have on the primary.

Add this to your config -

second switch

int vlan 10

standby 1 preempt

Jon

Peter Paluch
Cisco Employee
Cisco Employee

Hello Sameer,

Your second switch is missing the command standby 1 preempt in its configuration.

This command is often misunderstood. Its meaning is that is allows the present router to take over another router - it allows the present router to become Active. Often, it is perceived in a reversed sense - that it allows a router to be preempted by someone else, however, this interpretation is incorrect.

Your second switch was not allowed to take over the Active role even when the priority of the first switch was lower. Therefore, it did not try to become Active - that's why it did not work.

As a general rule, if the "standby preempt" command is used, it should be used on all routers in a standby group. Having some routers with that command and some other without it can lead to generally complicated behavior of the Active role takeover. Also, the Active role could be stalled on a router that is not the preferred router and actually has a lower priority. So my recommendation is - either configure all HSRP routers with that command or none of them.

Best regards,

Peter

Peter

"As a general rule, if the "standby preempt" command is used, it should be used on all routers in a standby group."

That's an interesting one actually and i've changed my mind a couple of times in my networking career.

Personally i only enable preempt on both the primary and secondary router if there is tracking enabled.

If there is no tracking then i only enable preempt on the active router because it makes no sense on the standby.

Good to get another opinion though.

Jon

Hi Jon,

Thanks a lot for sharing your opinion. You are of course correct and I like your approach. It certainly has its merit.

My reasoning here is probably a one of simplicity: having the preempt configured only on some routers in a standby group leads to problems more often that not. With the preempt configured on each router, the takeover process becomes much easier to follow.

It is also noteworthy to mention that the VRRP has preemption activated by default.

In any case, thank you very much again! You have also shown me another way to approach this problem, and I am very thankful for that!

Best regards,

Peter

Peter

"You are of course correct and I like your approach."

Apologies if i gave the impression that my way was the right way, not intended at all. Just good to see other peoples approaches and you do have a vast amount of knowledge to share so it's always good to discuss things with you.

Jon

Hey Jon,

No, no - don't be worried, I never took it that way. It was just that I have went over the whole preempt stuff all over again in my head and your approach makes perfect sense to me. In fact, I am a proponent of minimal configuration - use just those commands and on those devices where they are really necessary and your approach fits perfectly in it. All that was summarized in that single sentence of mine :)

Best regards,

Peter

Hi guys

still i have not found the solution.my concern is

1==if i give the ip to physical ip to the switch,firewall to switch are vertical links and switch interconnect with l2 link.in this case bith switches become active.

2==if i create svi say vlan 10 for vertical link between firewall and switch, i will also include switch-switch port in same vlan.so when my firewall-switch link goes down, hsrp is not shifting because still the switch-switch link port still in vlan 10 and vlan 10 still active so HSRP not shifting to another switch..

can some one suggest the solution.

diagrma attached in first post..

Hello Sameer,

1.) In a properly working network it is impossible for both switches to become Active. The HSRP is also implemented on Cisco routers that do not have SVIs and it works flawlessly. If both your switches become Active then they do not hear each other.

2.) I am afraid I do not understand this description.

Best regards,

Peter

Hi

1==in the topology attached where both firewalls connected to each other with horizonal link,both switches connected to each other with horizontal link,left firewall vertically connected to left switch and right firewall vertically connected to right switch,the link between firewall and switch defined as routed port with /29.i still doube how they will hear each other.can you suggest me the way to hear

2==please see the diagram again.when i define svi for the link between firewall & switch.i also make the switch-switch port as member of that vlan.so even if firewall-switch link goes down,switch-switch link remain up and switch not going to standby mode..

Hi Sameer,

Let's clear up one particular issue: for which part of network do you want to provide the HSRP service, that is, back up the default gateway?

Your topology consists of two L3 switches and two firewalls. What are those firewalls? Is that an ASA or PIX? In what mode do they run - Layer2 (bridged) or Layer3 (routed)? If they are routed then the segment between the firewalls is a new independet Layer3 domain and the HSRP hellos will not reach that segment.

Furthermore, for whom is the HSRP service provided? Where are the stations located that use the HSRP standby IP as the gateway?

Your test.pdf file contains incorrect addressing information: the IP addresses 10.1.3.2, 10.1.3.3, 10.1.3.4 should be probably written with the mask /29, not /30 as your exhibit contains.

Please try to clarify these issues.

Best regards,

Peter

Ho peter

answers to your query==

firewall is Juniper ISG 1000.in juniper when they do NSRP, it has only 1 ip which is managed by the active firewall.

now firewall is in L3 mode (IP address directly given to physical port and no SVI has been configured).Connection from 2 LAN cores coming to 2 Firewalls.Now firewall wants to put default gw as HSRP ip of L3 switch.

L3 switch will route for internal lan pointing towards NSRP ip of firewall

Test pdf has by mistake /30 mask mentioned and actually its /29.

10.1.3.3=switch1 3.3==switch 2 HSRP 3.1

10.1.3.4==NSRP

Juniper will point default route towards 10.1.3.1

L3 switch will put static route for internal lan towards 10.1.3.4.

hope this clarifies..

Sameer

Can you just confirm

1) the firewalls are connected to each other via a L3 link ?

2) the firewalls are connected to the switches via L3 links ?

If so what firewalls are you running ?. Are these firewalls meant to be in a pair ? - in which case they should be interconnected at L2 not L3.

What you have said is a bit confusing. What are you trying to protect against ie.

lets say the firewalls and switches were connected via L2. If the left hand switch went down then the right hand firewall would stop receiving hello's from the left hand outside firewall interface and so would become the active firewall. So you have redundancy. But with L3 everywhere this doesn't happen.

So are these firewalls meant to be a pair ? And why are they and the switches using L3 links.

Jon

Hi Jon

let me clarify

1==firewalls connected to each other via L2 link.

2=firewall connected to switch (vertical link) via L3 link.IP address direclt given to physical port.

firewall are juniper ISG 1000 and when they running NSRP they use single IP (Say 10.1.3.4 in our diagram) which is managed by Master switch.

Firewall and Switch cannot be connected on l2 as it is the segment for which i am doing HSRP.please see the diagram again.

Left fw-Left switch

Rightfw-right sw

Firewall-firewall (L2)

switch-switch (Tried Plain l2 or svi as mentioned in diagram)

Left fw=10.1.3.2

Right fw =10.1.3.3

HSRp=10.1.3.1

Juniper NSRP ==10.1.3.4(owned by master.no separate IP for each firewall.They sync the config)

now Connection from lan core coming to firewal.Firewall pointing default route to internet pointing towards L3 switch HSRP ip and L3 switches pointing static route for internal LAN pointing towards NSRP ip of juniper.

hope this calrifies.

Hi huys

The problem resolved with preempt command on the standby switch.i think jon was correct.when we configure tracking on primary then we need to enable prrempt on secondary.

now when left firewall goes down,traffic coming on right firewall==right switch and from these using the inter switch link coming to primary switch and from there going down.

left switch still becomes active because interswitch port is up .

the problem here is it takes around 3-4 minute before firewall able to ping HSRP ip of switch.after 4 minute its able to ping HSRP ip of switch and traffic starts.

any paramater here to play which can reduce this time.As i mentioned left switch still remains active and traffic going from right switch to left switch and then out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco