cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
671
Views
0
Helpful
12
Replies

HSRP Issue

sameermunj
Level 1
Level 1

Hi

i ahve 2 core 6509 switches and i am doing hsrp between them.core 1 is connected to firewall1 and core 2 connected to firewall 2.both core swicthes are connected via trunk link. in this case i am gving ip to physical interface and doing hsrp.problem is firewll is Juniper and they do NSRP in which they one firewall is active and other firewall is inactive.i am using /29 subnet for the hsrp in which core1 has 10.1.1.1/29 , core 2 has 10.1.1.2/29 hsrp is 10.1.1.3 and firewall NSRP ip is 10.1.1.4.

now problem is both cores can not communicate with each other and remain master.

core 1 shows ip route for 10.1.1.2 towards firewall and core2 has route for 10.1.1.1 towards firewall2 so they cannot communicate remain master.

tried configuring L3 link between core switches and added static route for connectivity between 2 switches.now core1 can communicate with core2 ip but HSRP is not changing and remain master in both switches..

pl suggest.

12 Replies 12

Jon Marshall
Hall of Fame
Hall of Fame

Sameer

Please post output of "sh standby brief" from core switches.

As i asked in previous thread, why are you giving the IP addresses on the physical interfaces rather than using SVI interfaces on the core switches ?

Jon

Hi

problem is i am using subinterafces on this particular port.this subinterface are part of diffrent vrf thats the reason i am giving ip to physical interface.

the reason both switches are master is they cant ping each other ip's and need solution on it.

when i see route for 10.1.1.2 in core 1 it shows go to firewall1 as its directly connected.when i see route for 10.1.1.1 is core 2 it shows go to firewall2 but as firewall 2 is in standby mode the communication is not happening.

i am sending u show standby capture shortly

Sameer

What switches and IOS version are you using. I have used 3550 switches before and assigned a L3 SVI to a vrf.

Jon

cisco 6509 12.2.33

its working setup so difficult to change the design now..can i ahve any solution on this setup.

Understood.

In addition to the "sh standby brief" can you post the config for the ports on the core switches that connect to the firewalls.

Jon

please find below thew config

primary

interface GigabitEthernet1/1

description To ITIWANF001

ip address 10.1.2.65 255.255.255.248

ip ospf network point-to-point

standby 1 ip 10.1.2.67

standby 1 priority 110

standby 1 preempt

Gi1/2 1 110 P Active local unknown 10.1.2.75

Gi1/2.11 1 110 P Active local unknown 10.2.11.75

Gi1/2.12 1 110 P Active local unknown 10.2.12.75

Gi1/2.15 1 110 P Active local unknown 10.2.15.75

secondary

interface GigabitEthernet1/2

description To ITIINTF002

ip address 10.1.2.74 255.255.255.248

ip ospf network point-to-point

standby 1 ip 10.1.2.75

Gi1/2 1 100 Active local unknown 10.1.2.75

Gi1/2.11 1 100 Active local unknown 10.2.11.75

Gi1/2.12 1 100 Active local unknown 10.2.12.75

Gi1/2.15 1 100 Active local unknown 10.2.15.75

Sameer

Again, i am somewhat confused :-)

What have you posted here ? It certainly doesn't match your diagram ie. on your diagram you have 10.1.1.1 and 10.1.1.2. You also said you had subinterfaces on the interfaces connecting to the firewalls but i can't see any subinterfaces in the above nor any vrf config.

We are trying to help but you need to post consistent config. Can you confirm or repost the config of gigabit ports on Core1 and Core2 that connect to the firewalls. If it is the above can you explain where the subinterfaces/vrf config comes in ?

The other thing to note is that if the above are the right ports then they are not allocated into any vlan because they are routed ports. But you need the firewalls to be in the same vlan so that HSRP all works well.

I feel at the moment as though i am missing some vital piece of info ?

Jon

Hi

in the 1st post i just gave it as example.

u cant see the vrf on the test sent because its used for global routing and other sub interfaces are used for vrf.

this capture will give u more details..

Primary

interface GigabitEthernet1/2

description to ITIINTF001

ip address 10.1.2.73 255.255.255.248

ip ospf network point-to-point

standby 1 ip 10.1.2.75

standby 1 priority 110

standby 1 preempt

!

interface GigabitEthernet1/2.10

!

interface GigabitEthernet1/2.11

encapsulation dot1Q 211

ip vrf forwarding VRF11

ip address 10.2.11.73 255.255.255.248

ip ospf network point-to-point

standby 1 ip 10.2.11.75

standby 1 priority 110

standby 1 preempt

interface GigabitEthernet1/2.12

encapsulation dot1Q 212

ip vrf forwarding VRF12

ip address 10.2.12.73 255.255.255.248

ip ospf network point-to-point

standby 1 ip 10.2.12.75

standby 1 priority 110

standby 1 preempt

!

interface GigabitEthernet1/2.15

encapsulation dot1Q 215

ip vrf forwarding VRF15

ip address 10.2.15.73 255.255.255.248

ip ospf network point-to-point

standby 1 ip 10.2.15.75

standby 1 priority 110

standby 1 preempt

Gi1/2 1 110 P Active local unknown 10.1.2.75

Gi1/2.11 1 110 P Active local unknown 10.2.11.75

Gi1/2.12 1 110 P Active local unknown 10.2.12.75

Gi1/2.15 1 110 P Active local unknown 10.2.15.75

Secondary

interface GigabitEthernet1/2

description To ITIINTF002

ip address 10.1.2.74 255.255.255.248

ip ospf network point-to-point

standby 1 ip 10.1.2.75

!

interface GigabitEthernet1/2.11

encapsulation dot1Q 211

ip vrf forwarding VRF11

ip address 10.2.11.74 255.255.255.248

ip ospf network point-to-point

standby 1 ip 10.2.11.75

!

interface GigabitEthernet1/2.12

encapsulation dot1Q 212

ip vrf forwarding VRF12

ip address 10.2.12.74 255.255.255.248

ip ospf network point-to-point

standby 1 ip 10.2.12.75

!

interface GigabitEthernet1/2.15

encapsulation dot1Q 215

ip vrf forwarding VRF15

ip address 10.2.15.74 255.255.255.248

ip ospf network point-to-point

standby 1 ip 10.2.15.75

Gi1/2 1 100 Active local unknown 10.1.2.75

Gi1/2.11 1 100 Active local unknown 10.2.11.75

Gi1/2.12 1 100 Active local unknown 10.2.12.75

Gi1/2.15 1 100 Active local unknown 10.2.15.75

ITDC-10-COR-SW2#

Sameer

Well as you can see from your config the 2 switches cannot see each other in terms of HSRP. And the reason is because your gigabit ports are not allocated into the same vlan so how will they see each other ?

None of your HSRP will work this why because even though the switches are interconnected with a L2 trunk the actual physical ports are not in the same vlan and HSRP packets are only sent within the same vlan.

If you want to run HSRP between the 2 gigabit ports then they must have L2 adjacency and to do this they cannot be a routed port but they must be allocated into the same vlan.

Hence the reason i suggested using SVI's on the core switches ie. each subinterface becomes a L3 SVI on your switch and then the gigabit ports are simply trunk ports.

If you can't do that then you can't run HSRP in the config you have.

I don't now enough about Juniper firewalls to suggest something else for definite. Can you run a routing protocol between the core switches and the Juniper firewalls and get rid of HSRP altogether ?

Jon

Hi jon

if you see the config i have shared only for 1 interface ip address is given to main interface which is used for global routing and rest all are the subinterfaces for which dot1q has been configured.if i shift the main interafce config on 1 more subinterface with say dot1q 10 then will my switches will be able to communicate with each other .if yes it will reuire little configuration changes

if i need to craete interface vlan for each of the subinterface involved then it would be difficult.

suppose i am removing the hsrp and running plain routing protocol then i think i need to play with interface cost to make the switch primary and backup.

zhengsean
Level 1
Level 1

Try to use VRRP instead of HSRP, since the HSRP is Cisco proprietary protocol.

VRRP still needs L2 adjacency between the core switches.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco