Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

HSRP not working on 4506

Hi Techies,

I m a Network engineer in company, we have around 800 users in the office.Below is the details of my network infra.

  • We have 4506 chasis with IOS version of 12.4 (44r) SG3
  • HSRP is configured for redundancy.
  • HSRP is configured on VLAN besis

The problem that HSRP is not working working properly, When my active VLAN goes down, Standby VLAN act as a Active VLAN but traffice is fail to

route trought that VLAN and i m not able to ping another vlan from that VALN.

Any early solution is highly appriciated.

Thanks in Advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: HSRP not working on 4506

Hi Hardik,

First of all I reiterate the idea that it's hard to have an interface vlan use for LAN down. And if they go down it means that your only layer 2 connection is to the firewall.

No, your config will not do anything at all. First of all the "network" statements are wrong on one of the Cores, because you must use the interface's IP when you put the "0.0.0.0" wildcard. But even if they were correct, you are forming a eigrp adjacency on vlan 26 and that's all.WHen the interface vlan 26 will go down your adjacency will go down and that's all.

The main reason for using a dynamic routing protocol is to use a vlan like the one used to interconnect the firewalls (vlan10) to form the eigrp adjacency and to advertise all the connected networks. The expected result - after forming a adjacency on vlan10 -  You can use this config :

Core A

router eigrp 26

no auto

net 172.20.10.2 0.0.0.0

redistribute connected

Core B

router eigrp 26

no auto

net 172.20.10.3 0.0.0.0

redistribute connected

Dan

21 REPLIES

HSRP not working on 4506

Hi,

I suppose that you have

    - 2 4506 chassises. Correct me if I'm wrong

    - all the vlans on both chassises. Correct me if I'm wrong

The problem could appear if you do not have a vlan configured on one of the chassises or you have it configured but you have layer 2 connectivity issues or also there is no route .

Could you paste from both chassises :

show standby brie

show vlan

Also tell us which are the vlans with discribed issue

Dan

New Member

HSRP not working on 4506

Hi DAN,

Thanks for your reply,

Yes you are correct

---- I have 2 4506 chassies

---- I have configured same VLANs on both the switches

---- Not working if VLAN have priority on CORE A switch.

Here below i am pasting some of my vlan configuration and HSRP configuration.

--------ON CORE A------------------------

interface Vlan8

description * 8th Floor *

ip address 172.20.14.2 255.255.254.0

ip pim sparse-dense-mode

standby 8 ip 172.20.14.1

standby 8 priority 110

standby 8 preempt

end

interface Vlan11

description * 11th Floor *

ip address 172.20.19.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim sparse-dense-mode

no ip split-horizon

standby 11 ip 172.20.19.1

standby 11 priority 110

standby 11 preempt

end

interface Vlan50

description **** Voice VLAN ****

ip address 172.20.50.2 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

no ip split-horizon

standby 50 ip 172.20.50.1

standby 50 preempt

end

Interface   Grp  Pri     P       State   Active          Standby         Virtual IP

Vl8            8   110    P       Active  local           172.20.14.3     172.20.14.1

Vl11         11   110   P       Active  local           172.20.19.3     172.20.19.1

Vl50         50   100   P      Standby 172.20.50.3     local          172.20.50.1

--------ON CORE B--------------------------------------

interface Vlan8

description * 8th Floor *

ip address 172.20.14.3 255.255.254.0

ip pim sparse-dense-mode

standby 8 ip 172.20.14.1

standby 8 preempt

end

interface Vlan11

description * 11th Floor *

ip address 172.20.19.3 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim sparse-dense-mode

no ip split-horizon

standby 11 ip 172.20.19.1

standby 11 preempt

end

interface Vlan50

description **** Voice VLAN ****

ip address 172.20.50.3 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

no ip split-horizon

standby 50 ip 172.20.50.1

standby 50 priority 110

standby 50 preempt

end

Interface   Grp  Pri   P   State        Active          Standby           Virtual IP

Vl8            8    100  P  Standby   172.20.14.2     local           172.20.14.1

Vl11        11     100 P    Standby  172.20.19.2     local           172.20.19.1

Vl50        50     110 P      Active           local      172.20.50.2    172.20.50.1

Default Route towards firewall is configured on both the switches.0.0.0.0 0.0.0.0 172.20.10.6(Firewall IP)

  1. When i shutdown SVI interface of CORE B of any of ACTIVE vlan, CORE A standby VLAN changes his stat to ACTIVE VLAN and route all traffic towards firewall.Works good when i configured higher prority on CORE B.
  2. But the problem is that when i Shutdown SVI interface of CORE A VLAN which is ACITVE, CORE B changes his stat to ACTIVE but not able to route trafiic and also not able to ping another vlan on CORE A.Not working if give priority to CORE A vlan.

I have also checked uplinks towards my firewall switch and with CDP neighbours command.

I am also attaching small network diagrame for your reference.

As per my knowledge it is routing issue from CORE B, Need your support for above issue

Thanks In Advance.

New Member

HSRP not working on 4506

It is a routing issue in Core B.

rgds/bsn

HSRP not working on 4506

Hi,

Could you tell me your issue is related to :

     - local vlans ( intervlan routing )

     - traffic from local vlans through the firewall

     - both

I can see that currently you have vlan 8 and 11 Active on Core A , and vlan 50 Active on Core B. Do you have this issue with vlan 50 ?

Can you paste from both Cores:

show ip route 0.0.0.0

ping 172.20.10.6

Regards

New Member

Re: HSRP not working on 4506

Hi,

My issue is when i shut the active vlan on core A, Core B take the active stat but host on that perticular vlan not able to ping to internet, firewll ip and another vlan configured on core A

Issue is with VLAN that are configured as active on Core switch A

I have attached the word doc. that will clear the doubts u have.

Thanks in Advance

Re: HSRP not working on 4506

Hi,

Nice output file.

Is the traffic from VLAN26 is ok, when the HSRP Active is CORE-A ?

On what vlan resides 172.20.10.6 ? You should have HSRP on this vlan Between A and B and the firewall should route the internal traffic to the HSRP address.

Please paste the routing table of the firewall. If it's not posible , check the next-hop for 172.20.12.128/25.

Dan

New Member

Re: HSRP not working on 4506

Hi DAN,

yes traffic from VLAN 26 is ok when HSRP is active on CORE A. Sorry to say that it is not possible to paste routing table firewall b'coz i dont have access.

Can you make me understand what you are saying about 

"On what vlan resides 172.20.10.6 ? You should have HSRP on this vlan Between A and B and the firewall should route the internal traffic to the HSRP address."



"check the next-hop for 172.20.12.128/25."

sorry but i didnt get you on above statements

regards,

hardik

New Member

Re: HSRP not working on 4506

Hi,

another query is why intervlan is not communicating when i shutdown any active interface vlan  on core A.......?

example :- if i shutdown interface vlan 26 on core A then core B becomes the active vlan but from core B i am not able to ping firewall ip address and another vlan interface on core A.

Re: HSRP not working on 4506

Could you paste the interface vlan config of the both Cores for the vlan that has the IP 172.20.10.0 .

Dan

New Member

Re: HSRP not working on 4506

Hi Dan,

As you required PFA word file containing the interface vlan config of ip 172.20.10.0.

Thanks & Regards,

Hardik

New Member

Re: HSRP not working on 4506

Hi Hardik

Try this

For VLAN 26

1. Remove preempt commands from both Core switches

2. Make VLAN 26 HSRP active on Core B (by making VLAN26 shut on Core A)

3. Unshut VLAN 26 Core A

4. Ensure VLAN26 is UP (not in SHUT state) on Core A

5. Then try to ping FW/internet/other VLAN IP from end machine

Regadrs

Bharat

Re: HSRP not working on 4506

Hi Hardik,

Thank you for the output.

First of all:

"another query is why intervlan is not communicating when i shutdown any active interface vlan  on core A.......?"

this is an expected behaviour. Why ? Your core switches are using only a static route toward the Firewall. In a normal functioning both of them have as conncted all the vlans, so they can forward traffic on direcly connected interface.

When you should down a SVI ( interface vlan ) on core A, it will not be able to route the packet back on Core B, because there is only a default route. The simplest solution is to run a dinamyc routing protocol between A and B , let's say EIGRP , and to redistribute connected , this way if any of the cores looses a SVI , it will receive the prefix via the routing protocol.

Core A

router eigrp 1

no auto

net 172.20.10.2 0.0.0.0

redistribute connected

Core B

router eigrp 2

no auto

net 172.20.10.3 0.0.0.0

redistribute connected

Edited : Regarding the internet problem , it  related to the same issue, the HSRP active is Core A , and all the packets from the firewall back to the internal networks, are routed to the Core A, and if you should down the SVI on Core A then it will route back the traffic to the firewall.

My opinion is that the routing protocol solution , will solve your issues.

Dan

Re: HSRP not working on 4506

I edited my last post !

Dan

New Member

Re: HSRP not working on 4506

HI Guys,

@ Bharat Negi ----- Thanks for your reply. I tried the same but still it is not happening.

@ Dan ------- Thanks for solution but does that mean I have to run EIGRP for all VLANs ?

Thanks & Regards,

Hardik

Re: HSRP not working on 4506

Hi Hardik,

Yes, if you are considering that even vlan 2 could go down , then yes, you should have eirgp adjancency on every VLAN, in order to be sure that in any case you will be covered.

But considering that you have a down link to the access switches and a trunk link between the Core switches, in order for a SVI to go down , means that all the links to the access switches and also the trunk link to go down. I think that is hard to happend.

Dan

New Member

Re: HSRP not working on 4506

Hi Hardik

Please simulate the scenario of my previous post and share

1. "sh ip route" for Core A & B

2. HSRP states for VLAN 26 for Core A & B

3. "sh interface vlan 26" for Core A & B

4. traceroute to internet from end machine

I hope FW is configured in Active-Passive state.

Regards

Bharat

New Member

Re: HSRP not working on 4506

Hi Guys,

@ Dan ----- yes i will test on one of my vlan and configure EIGRP and you right that routing is only happening on Core A.

                 B'coz when i shut the standby Interface on Core A still trafiic is not routing from Core B for that perticuler                     VLAN.

My Test configuration will be (For VLAN 26)

on Core A :-configure terminal

                 router eigrp 26

                    no auto

                 network 172.20.13.130 0.0.0.0

on Core B :-configure terminal

                 router eigrp 26

                    no auto

                 network 172.20.13.130 0.0.0.0

Correct me if i am wrong.

@ Bharat

No...............firewall is configured with HA.

PFA ur required output.

Thanks & regards,

hardik

New Member

Re: HSRP not working on 4506

Hi Hardik

As per attached output it seems VLAN26 is not UP on Core A.  HSRP state is unknown and VLAN26 subnet 172.20.13.128 is not reflecting in routing table (which is quite obvious as VLAN26 is down).

As per my previous post point, I specifically said to ensure VLAN26 to be UP (not in SHUT state) on Core A.

Till now, you have understood that it a routing issue.  Dynamic protocol solution provided by DAN is good but is tedious in LAN/Switching scenario as VLANs will keep on increasing you will have more and more neighborships.  VLAN is a virtual interface and possibility of it's going down is quite difficult till it is done by person.  Hence it is recommended to avoid dynamic protocol.

Re: HSRP not working on 4506

Hi Hardik,

First of all I reiterate the idea that it's hard to have an interface vlan use for LAN down. And if they go down it means that your only layer 2 connection is to the firewall.

No, your config will not do anything at all. First of all the "network" statements are wrong on one of the Cores, because you must use the interface's IP when you put the "0.0.0.0" wildcard. But even if they were correct, you are forming a eigrp adjacency on vlan 26 and that's all.WHen the interface vlan 26 will go down your adjacency will go down and that's all.

The main reason for using a dynamic routing protocol is to use a vlan like the one used to interconnect the firewalls (vlan10) to form the eigrp adjacency and to advertise all the connected networks. The expected result - after forming a adjacency on vlan10 -  You can use this config :

Core A

router eigrp 26

no auto

net 172.20.10.2 0.0.0.0

redistribute connected

Core B

router eigrp 26

no auto

net 172.20.10.3 0.0.0.0

redistribute connected

Dan

New Member

Re: HSRP not working on 4506

Dear Techies,

I have tested the setup with EIGRP as Dan suggested and i achieved the redundancy with HSRP.

@ Dan --- Thanks, It is working fine..... I have tested HSRP by powering off Core Switches simultaneously after configuring EIGRP on both switches.

Problem has been resolved.

Regards,

Hardik

New Member

HSRP not working on 4506

I HAVE THAE SAME PROBLEM WITH MY SETUP...

SHOULD I RUN EIGRP FOR BEST RESULT

1395
Views
0
Helpful
21
Replies
CreatePlease login to create content