LAN Design using HSRP,VLAN & STP


This is the first time I am going to Use HSRP along with VLAN & STP. I have designed a network but not very confident weather my design will work or not.

Assuming that will work, I did some sample configs and I came across some strange doubts. I am posting here some of the things I came across.

1. Should I need to configure the DMZ link as trunk links.

2. How to assign the STP priority between switches.

3. Should I need to configure the link inbetween the switches as trunk or access link.

4. How many links will be becoming as standby track links per vlan.

Here I am adding the configs for 2 switches. Give me your suggestions.

Thanks in advance



Re: LAN Design using HSRP,VLAN & STP

1. It should not be a trunk. Having the firewall connected in each vlan is not rely usefull and will only make everything harder to troubleshoot. Route traffic to it. If the firewall support OSPF and your table are not too big, use it to load balance trafic on your to router. Remenber to track those link in your HSRP.

2. If your VLAN host are only in one switch(one vlan / switch ) use that switch as the root and use GLBP, not HSRP. (It might be hard to keep all your vlan in only one switch overtime, management can be hard to deal with :))

If your vlan host are not all in the same switch : For STP, use the 2 core router as STP root bridge. Half the vlan on each switch. Make sure HSRP active router is also the root bridge to minimise trafic on the link between the 2 router.

3.YES,if it's an access vlan, you have no loop. Imagine on sw2 if one uplink interface break, your network will be split in 2.Very bad if your vlan host are on many different switch.

4. Clarify


Re: LAN Design using HSRP,VLAN & STP


Before we get into details ... Is there any specific reason or constraint that is preventing you from linking each Floor switch with a direct connection to each core switch?


Re: LAN Design using HSRP,VLAN & STP

1. Never daisy chain your access layer switches. Have each switch with a dedicated connection to the 4506. If you need more than 48 ports then go 3750 stackwise or chassis.

2. VLSM Pick an addressing scheme that can be summarized. For example VLAN 4 VLAN 6 VLAN 8


Then your FW route would be to your LAN. Match your vlans to your subnets for simplicity.

3. Use Point to Point links between the 4506 and the firewall with OSPF or EIGRP, "no switchport" on the 4506. Place a L3 PtoP link between the 4506's as well.

4. Set your STP ROOT 4506 as 8192 and the secondary as 16384 for each VLAN. Tune the active HSRP to match the STP ROOT. Don't forget interface tracking with at least a 90 second delay.

interface Vlan4

description WM-4

ip address

ip helper-address

no ip redirects

standby 4 ip

standby 4 timers 1 3

standby 4 priority 105

standby 4 preempt delay minimum 90

standby 4 track GigabitEthernet2/1

5. Migrate from HSRP to GLBP when it becomes available on the 4500 platform. GLBP is an Active/Active first hop protection protocol and will utilize both uplinks fairly evenly.

Use this as a blueprint.

Good luck.

Re: LAN Design using HSRP,VLAN & STP

Thanks Dominic, I am restructuring the existing design by adding some additional Switches and adding Vlans for a heretical design. Already I have a PIX Firewall and you have mentioned that, firewall connected with the VLAN will not be really help helpful. I that case how I should restructure my design. Where can I place the firewall ??? Give me your kind suggestions guys.

Brad, just to save ports in the Core Switch I am piggy bagging like a daisy chain. And if I connect each Access Switch with the Core Switch, I d’t have a Gig port for the third Switch for a redundant link. If you guys have any other solutions, give me your suggestions.

Thanks Guys


Re: LAN Design using HSRP,VLAN & STP

In the design the Server Vlan is assigned to 6506 switch and all the servers like DNS, Domain & Exchange will be inside this Vlan. I am little bit confused whether to use ip helper-address or ip directed-broadcast.

In either case should I need to assign the helper address inside each of the vlan interface on both Switches.



