Re: HSRP - Passive switch handles traffic?

ictzcisco · ‎11-16-2010

Hello all,

I want to setup a fail-over environment at one of my customers.

But the two core switches are not acting like I wanted to.

My HSRP Stand-by switch is handling all the traffic.

Anyone knows why and how to fix this?

Also see attached image.

Config sw-core-01:

Building configuration...

Current configuration : 8351 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sw-core-01
!
enable secret 5 $
!
username administrator privilege 15 secret 5 $
no aaa new-model
clock timezone CET 1
system mtu routing 1500
!
ip subnet-zero
ip routing
!
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
description fw-asa-01
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust dscp
macro description cisco-router
auto qos voip trust
spanning-tree portfast trunk
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
switchport access vlan 70
switchport mode access
spanning-tree portfast trunk
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree portfast trunk
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/23
switchport access vlan 60
switchport mode access
!
interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/25
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/26
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/27
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/28
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree link-type point-to-point
!
interface Vlan1
description management
ip address 192.168.5.253 255.255.255.0
no ip route-cache cef
no ip route-cache
standby preempt
standby 1 ip 192.168.5.254
standby 1 timers 5 15
standby 1 priority 105
standby 1 preempt
standby 1 authentication FCOHSRP
standby 1 track GigabitEthernet0/25
standby 1 track GigabitEthernet0/26
standby 1 track GigabitEthernet0/27
standby 1 track GigabitEthernet0/28
!
interface Vlan10
description server
ip address 192.168.10.253 255.255.255.0
no ip route-cache cef
no ip route-cache
standby 10 ip 192.168.10.254
standby 10 timers 5 15
standby 10 priority 105
standby 10 preempt
standby 10 authentication FCOHSRP
!
interface Vlan20
description pc
ip address 192.168.20.253 255.255.255.0
ip helper-address 192.168.10.11
no ip route-cache cef
no ip route-cache
standby 20 ip 192.168.20.254
standby 20 timers 5 15
standby 20 priority 105
standby 20 preempt
standby 20 authentication FCOHSRP
!
interface Vlan30
description printer
ip address 192.168.30.253 255.255.255.0
no ip route-cache cef
no ip route-cache
standby 30 ip 192.168.30.254
standby 30 timers 5 15
standby 30 priority 105
standby 30 preempt
standby 30 authentication FCOHSRP
!
interface Vlan40
ip address 192.168.40.253 255.255.255.0
no ip route-cache cef
no ip route-cache
standby 40 ip 192.168.40.254
standby 40 timers 5 15
standby 40 priority 105
standby 40 preempt
standby 40 authentication FCOHSRP
!
interface Vlan50
description dmz
ip address 192.168.50.253 255.255.255.0
no ip route-cache cef
no ip route-cache
standby 50 ip 192.168.50.254
standby 50 timers 5 15
standby 50 priority 105
standby 50 preempt
standby 50 authentication FCOHSRP
!
interface Vlan60
description telefonie
ip address 192.168.60.253 255.255.255.0
no ip route-cache cef
no ip route-cache
standby 60 ip 192.168.60.254
standby 60 timers 5 15
standby 60 priority 105
standby 60 preempt
standby 60 authentication FCOHSRP
!
interface Vlan70
description oproep
ip address 192.168.70.253 255.255.255.0
no ip route-cache cef
no ip route-cache
standby 70 ip 192.168.70.254
standby 70 timers 5 15
standby 70 priority 105
standby 70 preempt
standby 70 authentication FCOHSRP
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.250
ip http server
!
!
control-plane
!
!
line con 0
login
line vty 0 4
password 7
login
length 0
line vty 5 15
password 7
login
!
ntp clock-period 36028744
ntp server 17.72.255.11 key 0 prefer
end

Config sw-core-02:

Building configuration...

Current configuration : 6173 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service sequence-numbers
!
hostname sw-core-02
!
enable secret 5 $
!
username administrator privilege 15 secret 5 $
no aaa new-model
clock timezone CET 1
system mtu routing 1500
!
ip subnet-zero
ip routing
!
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
description fw-asa-01
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/3
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/4
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet0/5
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet0/6
switchport access vlan 50
switchport mode access
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
switchport access vlan 70
switchport mode access
spanning-tree portfast trunk
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree portfast trunk
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/23
description telefooncentrale
switchport access vlan 60
switchport mode access
spanning-tree portfast trunk
!
interface GigabitEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree portfast trunk
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/25
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree portfast trunk
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/26
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree portfast trunk
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/27
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree portfast trunk
spanning-tree link-type point-to-point
!
interface GigabitEthernet0/28
switchport trunk encapsulation dot1q
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust cos
macro description cisco-switch
auto qos voip trust
spanning-tree portfast trunk
spanning-tree link-type point-to-point
!
interface Vlan1
description management
ip address 192.168.5.252 255.255.255.0
no ip route-cache cef
no ip route-cache
standby preempt
standby 1 ip 192.168.5.254
standby 1 timers 5 15
standby 1 preempt
standby 1 authentication FCOHSRP
standby 1 track GigabitEthernet0/25
standby 1 track GigabitEthernet0/26
standby 1 track GigabitEthernet0/27
standby 1 track GigabitEthernet0/28
!
interface Vlan10
description server
ip address 192.168.10.252 255.255.255.0
no ip route-cache cef
no ip route-cache
standby 10 ip 192.168.10.254
standby 10 timers 5 15
standby 10 preempt
standby 10 authentication FCOHSRP
!
interface Vlan20
description pc
ip address 192.168.20.252 255.255.255.0
no ip route-cache cef
no ip route-cache
standby 20 ip 192.168.20.254
standby 20 timers 5 15
standby 20 preempt
standby 20 authentication FCOHSRP
!
interface Vlan30
description printer
ip address 192.168.30.252 255.255.255.0
no ip route-cache cef
no ip route-cache
standby 30 ip 192.168.30.254
standby 30 timers 5 15
standby 30 preempt
standby 30 authentication FCOHSRP
!
interface Vlan40
ip address 192.168.40.252 255.255.255.0
standby 40 ip 192.168.40.254
standby 40 timers 5 15
standby 40 preempt
standby 40 authentication FCOHSRP
!
interface Vlan50
description dmz
ip address 192.168.50.252 255.255.255.0
no ip route-cache cef
no ip route-cache
standby 50 ip 192.168.50.254
standby 50 timers 5 15
standby 50 preempt
standby 50 authentication FCOHSRP
!
interface Vlan60
description telefonie
ip address 192.168.60.252 255.255.255.0
no ip route-cache cef
no ip route-cache
standby 60 ip 192.168.60.254
standby 60 timers 5 15
standby 60 preempt
standby 60 authentication FCOHSRP
!
interface Vlan70
description oproep
ip address 192.168.70.252 255.255.255.0
no ip route-cache cef
no ip route-cache
standby 70 ip 192.168.70.254
standby 70 timers 5 15
standby 70 preempt
standby 70 authentication FCOHSRP
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.250
ip http server
!
!
control-plane
!
!
line con 0
login
line vty 0 4
password 7
login
length 0
line vty 5 15
password 7
login
!
ntp clock-period 36028820
ntp server 17.72.255.11 key 0 prefer
end

Giuseppe Larosa · ‎11-16-2010

Hello Hugo,

check spanning-tree settings in order to get the desired behaviour you may need to make HSRP active device = STP root bridge for the same vlan

you can use

show spanning-tree summary

show spanning-tree vlan vlan#

to check this

you can set one device STP root for a vlan using

config

spanning-tree vlan X priority P

using for P multiples of 4096 should be supported, use 0 to on device that should be root.

Hope to help

Giuseppe

Jon Marshall · ‎11-16-2010

Couple of things to note -

1) You need to make sure your HSRP active gateway switch is also the STP root for that vlan if you have dual uplinks from an access-layer switch. If the wrong uplink is blocked then traffic would have to go via the standby switch to get to the active gateway.

2) HSRP only affects traffic coming from the client ie. return traffic can go via either switch.

Could either of the above be the cause of the problem you are seeing ?

Jon

Kimberly Adams · ‎11-16-2010

Hugo,

Can you also please post a show standby for us to confirm that priority and such of the HSRP configuration?

Thanks,

Kimberly

Thanks and Cheers! Kimberly Please remember to rate helpful posts.

ictzcisco · ‎11-21-2010

Hi guys,

Here is my show stand result for my active switch.

Here are two VLANS (of the 8).

My switch VLAN (vlan1) is using standby tracks.

Vlan1 - Group 1
State is Active
    24 state changes, last state change 4d21h
Virtual IP address is 192.168.5.254
Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 5 sec, hold time 15 sec
    Next hello sent in 1.016 secs
Authentication text "FCOHSRP"
Preemption enabled
Active router is local
Standby router is 192.168.5.252, priority 100 (expires in 13.608 sec)
Priority 105 (configured 105)
    Track interface GigabitEthernet0/25 state Up decrement 10
    Track interface GigabitEthernet0/26 state Up decrement 10
    Track interface GigabitEthernet0/27 state Up decrement 10
    Track interface GigabitEthernet0/28 state Up decrement 10
IP redundancy name is "hsrp-Vl1-1" (default)
Vlan10 - Group 10
State is Active
    2 state changes, last state change 4d21h
Virtual IP address is 192.168.10.254
Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 5 sec, hold time 15 sec
    Next hello sent in 0.169 secs
Authentication text "FCOHSRP"
Preemption enabled
Active router is local
Standby router is 192.168.10.252, priority 100 (expires in 11.267 sec)
Priority 105 (configured 105)
IP redundancy name is "hsrp-Vl10-10" (default)
Vlan20 - Group 20
State is Active
    2 state changes, last state change 4d21h
Virtual IP address is 192.168.20.254
Active virtual MAC address is 0000.0c07.ac14
    Local virtual MAC address is 0000.0c07.ac14 (v1 default)
Hello time 5 sec, hold time 15 sec
    Next hello sent in 0.445 secs
Authentication text "FCOHSRP"
Preemption enabled
Active router is local
Standby router is 192.168.20.252, priority 100 (expires in 12.341 sec)
Priority 105 (configured 105)
IP redundancy name is "hsrp-Vl20-20" (default)

So what is better for me to configure?

Routing cost or STP priority?

And how do I configure routing costs?

Thanks guys.

Hugo

ictzcisco · ‎11-16-2010

Hi guys,

Thank you for the quick reply here!

I will test the things you have said tomorrow.

Because we have some problems with the UPS power at the moment (it's a new building :)).

You guys will hear from me.

Best regards,

Hugo

readytolearncisco · ‎11-21-2010

Also, you could always adjust the routing cost if you want to affect the traffic coming from the rest of the enterprise. That is if you only want a single box to be transit in and outbound.

ictzcisco · ‎11-21-2010

Aaah guys,

This is great.

The STP command did it.

See my screenshot.

1000x thnx!

ictzcisco · ‎11-21-2010

Does the setup change if I also enter the routing cost?

And how to do that? (if it would help).

Thankn you.

readytolearncisco · ‎11-21-2010

I don't think it's recommend to move away from equal cost load-balanced routing unless you need to do so. If your setup is currently working dont' worry about it. But, for your info, simply adjust the cost on the layer 3 interfaces via the "ip ospf cost x" command to weight one link over another.