Problem with L2 ring structure and HSRP virtual address

When reorganizing an access network, access was split up over several WS-C2950-12-SI catalyst switches which were connected in a ring structure (6 switches).

At 2 of these access switches, a L3 switch was connected.

Each access structure therefore supports several VLANs, ending at both L3 switches (WS-C3560, Enhanced Image).

The link between the C2950 access switches and their respective L3 switches are a dot1q trunk, with bpdufilter active and spanning-tree portfast trunk.

PVST runs in the ring of L2 switches.

Access switch 1, next to L3 switch A is forced to be the Spanning-Tree root for all VLANs concerned.

When the link between L3 switch B and its access switch is inactive, all is well and the switches can be managed.

However, if the second L3 switch comes into play (due to the link to its L2 access switch being activated), management access to a number of access switches becomes unreliable.

On investigation the following details appeared :

- there was a direct link between the access switches connected to the L3 switches.

- the other 4 access switches were situated in the rest of the ring, i.e. on the other leg between the access switchtes connected to the L3 switches.

- Access from the L3 switches to manage the L2 switches was never a problem, irrespective of the state of the connection between the second L3 switch and the access ring..

- On activating the link between the second L3 switch and its access switch, this access switch and the other 2 access switches "behind" it (according to spanning tree) were no longer able to connect to the default ip address, which was the HSRP virtual Ip address for the management VLAN of the switches of the access ring.

- Ping from a different subnet resulted in very poor results (only 1 in 4 to 8 pings was successful). This matches the previous constatation.

Software versions of the C2950-12 access switches ranged from 12.1(12c) to 12.1(22).

Any suggestions ?


It is very hard to depict anything from the explanation above. I appreciate your effort in explaining the above problem but a detailed diagram along with configs will help us to understand the problem better.


-amit singh

For further clarification, please find a picture of (part of the) network.

The central ring depicted is the one under investigation.

Some switches connected on antenna from one of the switches concerned, are not mentioned on the picture.

The configuration of all switches concerned is concentrated in the other (text) file.

For each switch the result is given for the following commands :

- show run

- show cdp ne

- show spanning tree vlan 2 (mgmt VLAN of L2switches)

The hostname of each switch reflects the location of the switch (as indicated by 3-letter code on the picture).

Can failure to connect to default gateway be related to arp or mac timeout values ?

Thank you for any suggestion.

Paul De Valck


Do you have the hsrp priorities set right with the L3 switch A being the active side ? Any hsrp state changes when you bring up the second side ? Would also check the physical wiring setup and make sure it is the way you think it is . Sounds like somehow the ring is being split when you bring up the second side. Myself I would have made the 3650's the spanning tree root if that is where they originate. Is there a crosslink between the 3560's carrying the vlans also ?

I have checked the HSRP priorities :

priority 100 for the L3 switch A, which is always connected to the ring,

priority 50 for the L3 switch B, which causes the problem when connected to the L2 ring.

The Spanning Tree Root is not the L3 switch, because it acts also as router for other L2 access structures, and we didn't want any spanning tree on the L3 switch acting (exclusively) as router.

There is no direct L2 (or trunk) connection between both L3 switches.

HSRP messages are supposed to transit only over the L2 access ring between both L3 switches.

Does this clarify the design ?

For completeness a diagram of the access ring and the configuration of the switches concerned are added.

Any ideas about reasons for the problem ?

Paul De Valck

