cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4499
Views
7
Helpful
7
Replies

HSRP on LAN and WAN interface

quintin
Level 1
Level 1

Hello,

I currently use L3 switches as edge routers to my WAN. I want to use a pair of 3560x switches with IPbase to provide a failover path to my WAN using HSRP at one location but had some problems testing the configuration. My plan is use a virtual address on the LAN interface (VLANx which port gi0/1 accesses) and the WAN interface (VLANy which port gi0/24 accesses). I want switch 1 to be primary since it will have an IPS attached to it, and switch 2 will be backup and used only when switch 1 or the IPS requires maintenance. On both the LAN and WAN sides there is no advanced routing going on, the various hosts just depend on the availability of their respective default gateways, so HSRP should be sufficient to provide a failover in either direction.

In my testing I got 1 or the other link to fail over but not the entire switch. What should my config look like to achieve failover of the entire switch in the event 1 or the other interface goes down, and fail back when the primary links are again available?

7 Replies 7

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Quintin,

you need to combine preemption with interface tracking

preemption provides the capability for the device with the higher priority to take the role of active router in HSRP group.

Tracking allows to reduce HSRP priority if a monitored interface fails.

see config guide for HSRP

http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp_fhrp/configuration/12-4t/fhp-hsrp.html#GUID-1B905648-DF2B-4B68-9821-594EA794A176

Hope to help

Giuseppe

rettuc_ccnp
Level 1
Level 1

     WAN device

     |               |

     |               |

   SW1-------- SW2

So, if I understand this correctly you want SW1 to be your primary path for traffic going to the WAN device and the secondary path to be from SW2 to your WAN device.  If this is the case there are a few things to consider for a proper and predictable overall design which goes beyond just who is primary for WAN traffic.

1.   configure SW1 to be your spanning-tree root bridge.  I would recommend setting SW1 priority to 4096 and SW2 priority to 8192.  This will just get your devices in sync on who is primary for L2 and L3 traffic.  I personally like this because it establishes a degree of intuitive predictability.

2. now for HSRP.

     SW1 configuration should look like this          SW2 configuration should look

     interface Vlan [vlan-id]                                   interface Vlan [vlan-id] <--- same vlan-id as SW1   

     standby 1 ip X.Y.Z.1                                     standby 1 ip X.Y.Z.1 <--- same virtual ip configured on SW1

     standby 1 priority 120                                   standby 1 priority 110

     standby 1 preempt    

  If I'm understanding your requirements the above should be all you need.  The "preempt" configuration on SW1 will allow it to be the primary once it becomes reachable again.     

Thank you both.

rettuc, shouldn't tracking come into play as Giuseppe indicated? And how would configuring spanning tree on these devices affect the rest of the network? the G10/1 interfaces of these devices would be pluggedd into a switch stack comprising my core network and routes.

I was working on a number of other things and tracking completely slipped my mind, but yes...Giuseppe is on track, pun intended 

So adding tracking changes the configuration I previously posted to the following (noted by *);

2. now for HSRP.

     SW1 configuration should look like this          SW2 configuration should look

     interface Vlan [vlan-id]                                   interface Vlan [vlan-id] <--- same vlan-id as SW1   

     standby 1 ip X.Y.Z.1                                     standby 1 ip X.Y.Z.1 <--- same virtual ip configured on SW1

     standby 1 priority 120                                   standby 1 priority 110

     standby 1 preempt                                       * standby 1 preempt

      * standby 1 track [interface] 40                       * standby 1 track [interface] 40

NOTE:

- I added preempt on SW2 so it will take the active role when the priority on SW1 is reduced due to link failure

- I added tracking to SW2 because you don't need it to have a higher priority, thus allowing it to take the active role, if its tracked interface to the WAN device goes down before or at the same time the tracked link between SW1 and the WAN device goes down.  In this scenario there is no benefit in changing who is the active standby.  Without this added to SW2 its priority will remain at 110 when its link to your WAN devices drops while SW1's priority will decrement by 40.

Hope this helps!

oh yeah forgot to answer the spanning-tree question.

My suggestion regarding spanning-tree root was just an additional suggestion...separate from the HSRP question.

In my honest opinion when engineering traffic behavior it's best to design both L2 and L3 from the same perspective.  In this case HSRP is identifying SW1 as primary and SW2 as secondary from a layer 3 perspective while my spanning-tree suggestion identifies SW1 as primary and SW2 as secondary from a layer 2 perspective.  

quintin
Level 1
Level 1

Thank you all. I was able to do what I needed in a lab environment, so now I just need to apply it to the equipment I want in on. Thanks so much for your help and advice.

quintin
Level 1
Level 1

To all who helped with this previously, thank you. There is one thing that I have found though that is confusing.
In testing the set up before implementing I have a PC on the wan side trying to ping from the wan interface of the switches, through the LAN interface , through the fa0/1interface of a router on the LAN side, to the fa0/1 interface on the other side of the router. If I pull the cable on the Wan side, fail over takes place in about 15 to 30 seconds and my ping continues. If I pull the cable on the LAN side though, fail over takes place after about 2 1/2 minutes. I was thinking there may be some routing or arp issue, but the router has as it's default route the standby LAN address of the standby pair, and of course, the Mac address for that reflects the virtual Mac of the standby address. Any ideas why 1 fail over is so much longer than the other?

Sent from Cisco Technical Support Android App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco