cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3557
Views
5
Helpful
15
Replies

HSRP, routing issue

tomtom2211
Level 1
Level 1

Hi,

i have a strange issue with an HSRP Setup.

I  have two (S1+S2) 3560 as Core/Distribution Layer. Inter-vlan routing are  enabled on both Switches. S1 and S2 are connected with an etherchannel  over four fibre ports. S3 -S5 are the (L2) access layer.

fneyyq3w.jpg

Gi0/1 on S1 and S2 are L3 ports, connect to a Linux Firewall.

HSRP is enabled, S1 is the active router and the STP root bridge.

But, my monitoring via cacti show me, that the Gi0/1 on S2 is active, too! But it should not be active? Only if S1 fails, should S2 the active switch.

A client from the access ports on S3 - 5 gets traffic from the internet via Gi0/1 from S2. Gi0/1 on S1 is active too, but will send mostly traffic to the internet.

Why is S2 active and why route it traffic from the internet to the client?

kind regards

1 Accepted Solution

Accepted Solutions

Thomas

Thank you for the additional information. I believe that it confirms my guess in my recent post that the firewall does not have a route for the 10.2/16 network but is using ARP for every address in the network that it attempts to reach. In this case both of the switches receive the ARP request, both respond, and the firewall chooses one (typically the first one to respond), and this explains why you see the amount of traffic inbound on the interface of switch 2.

I believe that we now understand the problem. I am not a Linux expert so I can not tell you the details of how to fix the problem. But it would probably involve configuring a route on the firewall for the 10.2.0.0/16 network. And in this context it may make sense to go back to the question of running HSRP on the switch Gi0/1 interfaces. I now suggest that it would be a good thing to configure the switch Gi0/1 interfaces for HSRP and to use the virtual address that they share as the next hop of the route in the firewall. This would allow the firewall to continue to forward traffic through switch 2 if there were a problem with switch 1.

HTH

Rick

HTH

Rick

View solution in original post

15 Replies 15

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

Can you post show standby from both core switches?

Also, can you post your HSRP config from both switches?


Richard Burts
Hall of Fame
Hall of Fame

Thomas

Would you post the interface configuration from both switches for the Gi0/1 interfaces? You say that both are layer 3 interfaces but it is not clear whether that means that both are configured with no switchport and with an IP address on the interface or whether they are in a VLAN that has the layer 3 interface.

A related but slightly different question would be whether the switches see each other as CDP neighbors through the Gi0/1 interface?

From the symptoms I am guessing that the switch Gi0/1 interfaces do not talk directly to each other and for HSRP to work correctly the switch interfaces must be able to talk directly to each other. So if you can provide some additional information about the topology and the configuration then we may be able to find a solution for your problem.

HTH

Rick

HTH

Rick

I would like to add something....why do you need those Gig ports as L3? If you configure them as switchports and join them to the same VLAN then you can configure HSRP at the VLAN interface level with different priorities so you can decide which remains active and standby.

As previously said, please post the configuration.

RG

Hi,

i have used thisTutorial from Cisco for the initial setup:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml

Additional, i add a second switch and add HSRP.

S1#show standby brief

Interface   Grp Prio P State    Active          Standby         Virtual IP    

Vl2         1   250  P Active   local           10.2.0.3        10.2.0.1      

Vl3         1   250  P Active   local           10.2.2.3        10.2.2.1      

Vl4         1   250  P Active   local           10.2.4.3        10.2.4.1      

Vl5         1   250  P Active   local           10.2.6.3        10.2.6.1

S2

S2#show standby brief

Interface   Grp Prio P State    Active          Standby         Virtual IP    

Vl2         1   50     Standby  10.2.0.2        local           10.2.0.1      

Vl3         1   50     Standby  10.2.2.2        local           10.2.2.1      

Vl4         1   50     Standby  10.2.4.2        local           10.2.4.1      

Vl5         1   50     Standby  10.2.6.2        local           10.2.6.1  

S1#show running-config interface gigabitEthernet 0/1

!

interface GigabitEthernet0/1

description to_firewall

no switchport

ip address 192.168.99.2 255.255.255.248

end

S2#show running-config interface gigabitEthernet 0/1

!

interface GigabitEthernet0/1

no switchport

ip address 192.168.99.3 255.255.255.248

end

- "A related but slightly different question would be whether the switches  see each other as CDP neighbors through the Gi0/1 interface?"

The switches see each other through the etherchannel Po1 and Gi0/1..hmm.

S1#show cdp neighbors

Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID

SV2                Gig 0/18              123            S I      WS-C2960-4Fas 0/1

SS5                Gig 0/19              128            S I      WS-C2960S-Gig 0/1

SS5                Gig 0/20              128            S I      WS-C2960S-Gig 0/2

SV1                Gig 0/17              138            S I      WS-C2960-4Fas 0/1

SS3                Gig 0/14              162            S I      WS-C2960S-Gig 0/2

SS3                Gig 0/13              162            S I      WS-C2960S-Gig 0/1

SS2                Gig 0/12              160            S I      WS-C2960S-Gig 0/2

SS2                Gig 0/11              160            S I      WS-C2960S-Gig 0/1

SS1                Gig 0/9               160            S I      WS-C2960S-Gig 0/1

SS1                Gig 0/10              160            S I      WS-C2960S-Gig 0/2

SD2                Gig 0/1               140           R S I     WS-C3560G-Gig 0/1

SD2                Gig 0/52              150           R S I     WS-C3560G-Gig 0/52

SD2                Gig 0/51              150           R S I     WS-C3560G-Gig 0/51

SD2                Gig 0/50              150           R S I     WS-C3560G-Gig 0/50

SD2                Gig 0/49              150           R S I     WS-C3560G-Gig 0/49

SC3                Gig 0/22              143            S I      WS-C2960S-Gig 0/2

SC3                Gig 0/21              143            S I      WS-C2960S-Gig 0/1

SC2                Gig 0/8               131            S I      WS-C2960S-Gig 0/2

SC2                Gig 0/7               131            S I      WS-C2960S-Gig 0/1

SC1                Gig 0/5               136            S I      WS-C2960S-Gig 0/1

SC1                Gig 0/6               136            S I      WS-C2960S-Gig 0/2

S2#show cdp neighbors

Device ID            Local Intrfce         Holdtme   Capability    Platform   Port ID

SV2                Gig 0/18              131            S I      WS-C2960-4Fas 0/48

SV1                Gig 0/17              153            S I      WS-C2960-4Fas 0/48

SS3                Gig 0/14              157            S I      WS-C2960S-Gig 0/48

SS3                Gig 0/13              157            S I      WS-C2960S-Gig 0/47

SS2                Gig 0/11              154            S I      WS-C2960S-Gig 0/47

SS2                Gig 0/12              154            S I      WS-C2960S-Gig 0/48

SS1                Gig 0/10              155            S I      WS-C2960S-Gig 0/48

SS1                Gig 0/9               155            S I      WS-C2960S-Gig 0/47

S1                Gig 0/1               131           R S I     WS-C3560G-Gig 0/1

S1                Gig 0/52              153           R S I     WS-C3560G-Gig 0/52

S1                Gig 0/51              153           R S I     WS-C3560G-Gig 0/51

S1                Gig 0/50              153           R S I     WS-C3560G-Gig 0/50

S1                Gig 0/49              153           R S I     WS-C3560G-Gig 0/49

SC3                Gig 0/22              138            S I      WS-C2960S-Gig 0/48

SC3                Gig 0/21              138            S I      WS-C2960S-Gig 0/47

SC2                Gig 0/7               125            S I      WS-C2960S-Gig 0/47

SC2                Gig 0/8               125            S I      WS-C2960S-Gig 0/48

SC1                Gig 0/6               131            S I      WS-C2960S-Gig 0/48

SC1                Gig 0/5               131            S I      WS-C2960S-Gig 0/47

Both switches have set the default gw:

ip route 0.0.0.0 0.0.0.0 192.168.99.1

kind regards,

Thomas

Thomas

Thank you for the additional information. I believe that it is helpful. The main thing that it shows is that there is not any standby configured on the Gi0/1 ports. If there is no standby/HSRP configured on the Gi0/1 port then why would you expect it to not be active?

I had assumed from the original post that HSRP was configured but not working for some reason. But this additional information shows that there is not HSRP configured on those interfaces and therefore it is normal behavior that both switch ports would be active.

With switch 1 being active for each of the VLANs I would expect most outbound traffic to use Gi0/1 of switch 1 and for very little (if any) traffic to use the interface on switch 2. But I would expect it to be active and acting as a backup if there should be a problem with switch 1.

HTH

Rick

HTH

Rick

Rick,

many thanks for this answer. I have never tought about on HSRP for the Gi0/1 ports. Your answer seems to be the right solution.

I think, i have to add the following commands ... right?

# Active Switch #

S1# configure terminal

S1(config)# interface gigabitethernet0/1

S1(config-if)# standby 1 192.168.99.2

S1(config-if)# standby priority 250 preempt

S1(config-if)# end

# Backup Switch #

S2# configure terminal

S2(config)# interface gigabitethernet0/1

S2(config-if)# standby 1 192.168.99.3

S2(config-if)# standby priority 50

S2(config-if)# end

kind regards

Thomas

Thomas

I am not sure what advantage you will get from running HSRP on the Gi0/1 interfaces. Would the firewall to which they connect use the virtual address for anything?

And if you do want to configure HSRP then the configuration that you suggest is not correct. From an earlier post you gave us this from switch 1

S1#show running-config interface gigabitEthernet 0/1

!

interface GigabitEthernet0/1

description to_firewall

no switchport

ip address 192.168.99.2 255.255.255.248

so you can not use 192.168.99.2 as the standby address for switch 1 as you suggest here.

and similarly you can not use 192.168.99.3 as the standby on switch 2 since that is assigned as the interface address. For configuring HSRP each switch needs an IP address in the subnet and then the pair of interfaces share a virtual interface. so perhaps it might make sense to have both interfaces use

standby 1 192.168.99.4

HTH

Rick

HTH

Rick

Hi,

sorry, i misunderstood your answer.

If there is no standby/HSRP configured on the Gi0/1 port then why would you expect it to not be active?

And - yes, the posted HSRP setup for Gi0/1 is nonsense .. *shame on me*

I am not sure what advantage you will get from running HSRP on the Gi0/1 interfaces. Would the firewall to which they connect use the virtual address for anything?

No, the firewall will never use the virtual ip.

My primary intention was, to figure out why S2 has so much incoming traffic on Gi0/1. I had expected, that only S1 - Gi0/1 gets the traffic between firewall and the switch.

With switch 1 being active for each of the VLANs I would expect most outbound traffic to use Gi0/1 of switch 1 and for very little (if any) traffic to use the interface on switch 2. But I would expect it to be active and acting as a backup if there should be a problem with switch 1.

You are right. But i'am still wondering about the amount of incoming traffic on S2 Gi0/1.

kind regards

Thomas

This definitely looks like a assymetric routing issue.

Could you kindly get a show ip route from the upstream router.

We might need to tweak the path cost(AD) to make it prefer the link to S1

Cheers,

Akshay

Thomas

Thank you. This has re-focused the discussion on the real issue. For much of this thread I have been assuming that the problem has to do with HSRP and with traffic outbound to the Internet. It is now much more clear that the question is really about traffic from the Internet coming to the switch interfaces.

And the answer to the question is to be found on the Linux firewall. Traffic from the Internet passes through the firewall and the firewall is making decisions on how to forward the traffic that results in more traffic to switch 2 interface than you expect. So why is the firewall doing this?

Can you tell us what is set up on the firewall, especially in terms of routing to the inside network? Does the firewall have a route to 10.2.0.0, to 10.2.2.0, to 10.2.4.0, and to 10.2.6.0 or does it just have a route to 10.0.0.0 or something like that? And what is the next hop for these routes?

I am going to make a guess at the problem. I am guessing that whatever route is set in the firewall does not have a next hop specified that is either switch 1 or switch 2 interface address. This could lead the firewall to ARP for the destinations. And if the firewall is ARP for the destination then some traffic would go through switch 1 and some traffic would go through switch 2 depending on which responded more quickly to the ARP request.

HTH

Rick

HTH

Rick

Hi Thomas ,

I do not want distract you from the current conversation. But I got a different understanding of the problem description you gave.

" A client from the access ports on S3 - 5 gets traffic from the internet via Gi0/1 from S2. Gi0/1 on S1 is active too, but will send mostly traffic to the internet. "

The HSRP config looks fine.

Are you trying to say that the taffic that client on s3 sends goes through gi 0/1 on S1 ( which it should) and the return traffic from internet comes trough gi 0/1 of the S2 ?

If that is correct then you are having a assymetric routing situation and you would need to fix it from the upstream router end. Make the gi 0/1  of S1 as the preffered route by tweaking the routing protocol.

Cheers,

Akshay

Akshay, Rick,

first of all, many thanks for your detailed reply.

My apologies for any confusion.

Ok, the network setup looks fine, but the firewall seems to causing the problem.

The routing table on the firewall, as requested:

linux-firewall:~# ip route list

xxx.xxx.xxx.xxx./28 dev eth0  proto kernel  scope link  src xxx.xxx.xxx.xxx

192.168.99.0/24 dev br0  proto kernel  scope link  src 192.168.99.1

10.2.0.0/16 dev br0  scope link

default via xxx.xxx.xxx.xxx dev eth0

That's all.

A short test:

I have logged into the firewall and deleted the arp entry for 10.2.0.211

Then, i have started an sniffer on the firewall for arp:

#tcpdump -i any -e -n arp host 10.2.0.211

From 10.2.0.211 i've started a ping to www.somehost.com..

and the tcpdump on the firewall shows me:

ARP (0x0806), length 44: Request who-has 10.2.0.211 tell 192.168.99.1, length 28

ARP (0x0806), length 44: Request who-has 10.2.0.211 tell 192.168.99.1, length 28

ARP (0x0806), length 44: Request who-has 10.2.0.211 tell 192.168.99.1, length 28

ARP (0x0806), length 62: Reply 10.2.0.211 is-at 00:14:6a:e7:e5:41, length 46

ARP (0x0806), length 62: Reply 10.2.0.211 is-at 00:14:6a:e7:e5:41, length 46

ARP (0x0806), length 62: Reply 10.2.0.211 is-at 00:17:95:f3:42:41, length 46

ARP (0x0806), length 62: Reply 10.2.0.211 is-at 00:17:95:f3:42:41, length 46

00:14:xx -> Gi0/1 on S2

00:17:xx -> Gi0/1 on S1

kind regards

Thomas

Thomas

Thank you for the additional information. I believe that it confirms my guess in my recent post that the firewall does not have a route for the 10.2/16 network but is using ARP for every address in the network that it attempts to reach. In this case both of the switches receive the ARP request, both respond, and the firewall chooses one (typically the first one to respond), and this explains why you see the amount of traffic inbound on the interface of switch 2.

I believe that we now understand the problem. I am not a Linux expert so I can not tell you the details of how to fix the problem. But it would probably involve configuring a route on the firewall for the 10.2.0.0/16 network. And in this context it may make sense to go back to the question of running HSRP on the switch Gi0/1 interfaces. I now suggest that it would be a good thing to configure the switch Gi0/1 interfaces for HSRP and to use the virtual address that they share as the next hop of the route in the firewall. This would allow the firewall to continue to forward traffic through switch 2 if there were a problem with switch 1.

HTH

Rick

HTH

Rick

Hi,

the problem is now solved. I've add a HSRP Setup for Gi0/1 on S1 nd S2 (192.168.99.4).

And on the firewall:

up ip route add 10.2.0.0/16 via 192.168.99.4 dev br0

Now, the net flow works as expected.

Thank you very much.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: