Solved: HSRP Question

Federico Coto Fajardo · ‎01-19-2010

Hi All,

I have two 4506s acting as the Core of the network. Both swithes are connected to several distribution switches and other devices...

The primary 4506 is acting as the active router for all traffic (like 50 VLANs)... the secondary 4506 is just sitting standby....

So, we want to do load balancing (perhaps sending 25 VLANs through the primary 4506 and the other 25 VLANs to the secondary 4506.

I've tested changing the priority of some of the VLANs to prefer the secondary 4506, and they worked fine.

I have this configuration for the 50 VLANs on the primary 4506:

Primary_Router#

interface Vlan1
description Vlan Default
ip address 172.16.10.2 255.255.255.0
no ip redirects
standby version 2
standby 0 ip 172.16.10.1
standby 0 priority 110
standby 0 preempt
standby 0 authentication md5 key-string 7 100D4D5A084341180817202D020F17143347091B571252080B0700 timeout 30

interface Vlan50
description Vlan Design ip address 172.16.22.2 255.255.255.0
ip helper-address 172.16.24.16
no ip redirects
standby version 2
standby 0 ip 172.16.22.1

standby 0 priority 110
standby 0 preempt
standby 0 authentication md5 key-string 7 01504247565F551C255F440F3F2233331A580A277F372C62667647 timeout 30

And this configuration for the 50 VLANs on the secondary 4506:

Secondary_Router#

interface Vlan1
description Vlan Default
ip address 172.16.10.3 255.255.255.0
no ip redirects
standby version 2
standby 0 ip 172.16.10.1
standby 0 preempt
standby 0 authentication md5 key-string 7 13465351065857392F3722351305372607570F5B0D4B57055D574C timeout 30

interface Vlan15
description Vlan Design ip address 172.16.22.3 255.255.255.0
ip helper-address 172.16.24.16
no ip redirects
standby version 2
standby 0 ip 172.16.22.1
standby 0 preempt
standby 0 authentication md5 key-string 7 01504247565F551C255F440F3F2233331A580A277F372C62667647 timeout 30
!

So, I've changed the priority of some VLANs on the secondary 4506 to 120 and the secondary 4506 become active for those VLANs (everything works fine)...

My question is:

If I configure 25 VLANs to prefer the primary 4506 and the other 25 VLANs to prefer the secondary 4506, with the above configuration, would either 4506 would assume the role for all VLANs if one of the switch fails?

I need to test that the VLANs go through the appropiate configured 4506, and that if I turn off either switch, the other one would assume the active role for all VLANs....

Is this configuration going to work, or do I need different HSRP groups or play with the HSRP priorities?

Please let me know.

Thank you,

Federico.

mlund · ‎01-22-2010

Hi Federico

Making the new switch root for the new vlan is a good idea.

This way, as you stated both coreswitches can transport data to the ASA on the nearest link.

One of the ports on the link between the core switches will be blocking for that vlan, wich will result in hsrp hello packets have to traverse the links to the new switch. But that is nothing to worry about.

/Mikael

View solution in original post

Jon Marshall · ‎01-19-2010

Federico

If I configure 25 VLANs to prefer the primary 4506 and the other 25 VLANs to prefer the secondary 4506, with the above configuration, would either 4506 would assume the role for all VLANs if one of the switch fails?

Yes, if one of the switches fails then the other will become active for all vlans.

Also you need to set the spanning-tree priority to match the HSRP active. So for 4506_1 if you have 25 vlans with the active HSRP gateway you also need to set that switch to be STP root for those 25 vlans. And on 4506_2 you set that switch to be STP root for the other 25 vlans that are HSRP active on that switch.

Edit - if you are going to change STP root and secondary do this out of production hours in an outage.

Jon

Federico Coto Fajardo · ‎01-19-2010

Makes sense to me!

I just want to double-check and thank you for the remainder of the STP!

I will test it and let you know....

Federico.

Giuseppe Larosa · ‎01-19-2010

Hello Federico,

this is a typical campus setup, for example we do similar with odd vlans on one device and even vlans on the other.

STP root bridge for odd vlans is also the active HSRP for odd vlans

STP root bridge for even vland is also the active HSRP for even vlans.

Multilayer switches allow for HSRP group reuse (routers on vlan subinterfaces require to use different HSRP group numbers)

However, I would suggest to use for each HSRP group a different MD5 authentication password.

You should be able to use 16 or more groups on C4500

We have seen that if two groups with same number are made to communicate by accident high cpu usage is caused by this.

This makes reuse of HSRP group more secure.

>>

If I configure 25 VLANs to prefer the primary 4506 and the other 25 VLANs to prefer the secondary 4506, with the above configuration, would either 4506 would assume the role for all VLANs if one of the switch fails?

yes within 3 times the HSRP timer, 10 seconds with default timers values.

Aggressive timers have been used as low as 250 msec. Someone tried lower values but results are not always good

>> Is this configuration going to work, or do I need different HSRP groups or play with the HSRP priorities?

use an higher priority more then 100 for device that has to be the active router. for example 105 as in the other thread.

Hope to help

Giuseppe

mlund · ‎01-20-2010

Hi Federico

One more thing to consider when splitting traffic between chassies, is the unicast flooding that will occur.

The reason is the cam aging-timer is 300 seconds, and the arp timer is 14400 seconds.

As stated in the link below, there are three ways to solved this.

1 adjust cam aging to 14000

2 adjust arp timer to 300

3 adjust both so that they will match

In our network we choosed option 3 and took 3600, and it works OK for us.

/Mikael

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094afd.shtml#t8

Federico Coto Fajardo · ‎01-21-2010

Thank you guys for your help, I did it and it worked great!

Both 4506s are sharing the traffic now....

Just one more question regarding this.... initially only the 4506-1 had a connection to the ASA that connects everybody to the Internet...

So, obviouslly we have to add a connection from the 4506-2 to the ASA as well.. what I did is connect both 4506s to a switch and from there a single connection to the ASA (this is temporary)....

Now, everything is working fine... but due to STP only one of the two connections of the new Switch to the 4506s is forwarding traffic and the other is blockled by STP (I know this is normal behavior because the new Swith is the not the STP Root for the VLAN between the 4506s and the ASA).

My question is....

Should that switch be the root bridge for that VLAN so that both ports forward traffic simultaneously, or should I leave it like this?

My concern is that since port 2 no the new Switch is blocked by STP, currently all traffic to the ASA still goes through the 4506-1 no matter if the sourced VLAN is being handled by the 4506-1 or the 4506-2.

Situation:

4506-1 ------- new

4506-2 ------- switch ---------- ASA

So, the three ports on the new switch are on VLAN 22 (which is the VLAN for the ASA), but the port facing 4506-2 is blocked by STP.

I'm looking if I need to change this or not.

Please let me know your thoughts!

Thank you very much again,

Federico.

Steve Rodrigue · ‎01-21-2010

You have a layer2 loop in your setup??? STP would not block a port if not.

Federico Coto Fajardo · ‎01-21-2010

You are correct, but the thing is the following....

From the new Switch that I added, there are two ports on the same VLAN connected each one to both 4506s (and one connection to the ASA)

In other words, both Gig 6/16 ports on both 4506s are connected to Port1 and Port2 of the new Switch (all of these ports are in the same VLAN), which in turn, Port3 of the new Switch connects to the ASA. (Port 1, 2 and 3 on the new Switch are on the same VLAN).

So, I won't say there's a loop, but there a two possible paths from the new Switch to the VLANs and that's why one of those ports is blocked by STP.

Is this clear? Please let me know.

So, my question is if I should make the new Switch the Root for this VLAN (so that both ports to the 4506s will be Forwarding).... or this will bring trouble to the network.

Thank you,

Federico.

Steve Rodrigue · ‎01-21-2010

Simple! Isolate your direct link between your 4506 with a different vlan. Then, all your ports would be up all the time and STP will not see any loops anymore.

Of course, you will have to configure new vlan-if and activate the routing protocol on these new interfaces.

mlund · ‎01-22-2010

Hi Federico

Making the new switch root for the new vlan is a good idea.

This way, as you stated both coreswitches can transport data to the ASA on the nearest link.

One of the ports on the link between the core switches will be blocking for that vlan, wich will result in hsrp hello packets have to traverse the links to the new switch. But that is nothing to worry about.

/Mikael