I currently use L3 switches as edge routers to my WAN. I want to use a pair of 3560x switches with IPbase to provide a failover path to my WAN using HSRP at one location but had some problems testing the configuration. My plan is use a virtual address on the LAN interface (VLANx which port gi0/1 accesses) and the WAN interface (VLANy which port gi0/24 accesses). I want switch 1 to be primary since it will have an IPS attached to it, and switch 2 will be backup and used only when switch 1 or the IPS requires maintenance. On both the LAN and WAN sides there is no advanced routing going on, the various hosts just depend on the availability of their respective default gateways, so HSRP should be sufficient to provide a failover in either direction.
In my testing I got 1 or the other link to fail over but not the entire switch. What should my config look like to achieve failover of the entire switch in the event 1 or the other interface goes down, and fail back when the primary links are again available?
So, if I understand this correctly you want SW1 to be your primary path for traffic going to the WAN device and the secondary path to be from SW2 to your WAN device. If this is the case there are a few things to consider for a proper and predictable overall design which goes beyond just who is primary for WAN traffic.
1. configure SW1 to be your spanning-tree root bridge. I would recommend setting SW1 priority to 4096 and SW2 priority to 8192. This will just get your devices in sync on who is primary for L2 and L3 traffic. I personally like this because it establishes a degree of intuitive predictability.
2. now for HSRP.
SW1 configuration should look like this SW2 configuration should look
interface Vlan [vlan-id] interface Vlan [vlan-id] <--- same vlan-id as SW1
standby 1 ip X.Y.Z.1 standby 1 ip X.Y.Z.1 <--- same virtual ip configured on SW1
standby 1 priority 120 standby 1 priority 110
standby 1 preempt
If I'm understanding your requirements the above should be all you need. The "preempt" configuration on SW1 will allow it to be the primary once it becomes reachable again.
rettuc, shouldn't tracking come into play as Giuseppe indicated? And how would configuring spanning tree on these devices affect the rest of the network? the G10/1 interfaces of these devices would be pluggedd into a switch stack comprising my core network and routes.
- I added preempt on SW2 so it will take the active role when the priority on SW1 is reduced due to link failure
- I added tracking to SW2 because you don't need it to have a higher priority, thus allowing it to take the active role, if its tracked interface to the WAN device goes down before or at the same time the tracked link between SW1 and the WAN device goes down. In this scenario there is no benefit in changing who is the active standby. Without this added to SW2 its priority will remain at 110 when its link to your WAN devices drops while SW1's priority will decrement by 40.
oh yeah forgot to answer the spanning-tree question.
My suggestion regarding spanning-tree root was just an additional suggestion...separate from the HSRP question.
In my honest opinion when engineering traffic behavior it's best to design both L2 and L3 from the same perspective. In this case HSRP is identifying SW1 as primary and SW2 as secondary from a layer 3 perspective while my spanning-tree suggestion identifies SW1 as primary and SW2 as secondary from a layer 2 perspective.
To all who helped with this previously, thank you. There is one thing that I have found though that is confusing. In testing the set up before implementing I have a PC on the wan side trying to ping from the wan interface of the switches, through the LAN interface , through the fa0/1interface of a router on the LAN side, to the fa0/1 interface on the other side of the router. If I pull the cable on the Wan side, fail over takes place in about 15 to 30 seconds and my ping continues. If I pull the cable on the LAN side though, fail over takes place after about 2 1/2 minutes. I was thinking there may be some routing or arp issue, but the router has as it's default route the standby LAN address of the standby pair, and of course, the Mac address for that reflects the virtual Mac of the standby address. Any ideas why 1 fail over is so much longer than the other?
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...