Solved: HSRP not working on 4506

Hardik Pithadia · ‎04-17-2012

Hi Techies,

I m a Network engineer in company, we have around 800 users in the office.Below is the details of my network infra.

We have 4506 chasis with IOS version of 12.4 (44r) SG3
HSRP is configured for redundancy.
HSRP is configured on VLAN besis

The problem that HSRP is not working working properly, When my active VLAN goes down, Standby VLAN act as a Active VLAN but traffice is fail to

route trought that VLAN and i m not able to ping another vlan from that VALN.

Any early solution is highly appriciated.

Thanks in Advance.

Dan-Ciprian Cicioiu · ‎04-26-2012

Hi Hardik,

First of all I reiterate the idea that it's hard to have an interface vlan use for LAN down. And if they go down it means that your only layer 2 connection is to the firewall.

No, your config will not do anything at all. First of all the "network" statements are wrong on one of the Cores, because you must use the interface's IP when you put the "0.0.0.0" wildcard. But even if they were correct, you are forming a eigrp adjacency on vlan 26 and that's all.WHen the interface vlan 26 will go down your adjacency will go down and that's all.

The main reason for using a dynamic routing protocol is to use a vlan like the one used to interconnect the firewalls (vlan10) to form the eigrp adjacency and to advertise all the connected networks. The expected result - after forming a adjacency on vlan10 - You can use this config :

Core A

router eigrp 26

no auto

net 172.20.10.2 0.0.0.0

redistribute connected

Core B

router eigrp 26

no auto

net 172.20.10.3 0.0.0.0

redistribute connected

Dan

View solution in original post

Dan-Ciprian Cicioiu · ‎04-17-2012

Hi,

I suppose that you have

- 2 4506 chassises. Correct me if I'm wrong

- all the vlans on both chassises. Correct me if I'm wrong

The problem could appear if you do not have a vlan configured on one of the chassises or you have it configured but you have layer 2 connectivity issues or also there is no route .

Could you paste from both chassises :

show standby brie

show vlan

Also tell us which are the vlans with discribed issue

Dan

Hardik Pithadia · ‎04-22-2012

Hi DAN,

Thanks for your reply,

Yes you are correct

---- I have 2 4506 chassies

---- I have configured same VLANs on both the switches

---- Not working if VLAN have priority on CORE A switch.

Here below i am pasting some of my vlan configuration and HSRP configuration.

--------ON CORE A------------------------

interface Vlan8

description * 8th Floor *

ip address 172.20.14.2 255.255.254.0

ip pim sparse-dense-mode

standby 8 ip 172.20.14.1

standby 8 priority 110

standby 8 preempt

end

interface Vlan11

description * 11th Floor *

ip address 172.20.19.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim sparse-dense-mode

no ip split-horizon

standby 11 ip 172.20.19.1

standby 11 priority 110

standby 11 preempt

end

interface Vlan50

description **** Voice VLAN ****

ip address 172.20.50.2 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

no ip split-horizon

standby 50 ip 172.20.50.1

standby 50 preempt

end

Interface Grp Pri P State Active Standby Virtual IP

Vl8 8 110 P Active local 172.20.14.3 172.20.14.1

Vl11 11 110 P Active local 172.20.19.3 172.20.19.1

Vl50 50 100 P Standby 172.20.50.3 local 172.20.50.1

--------ON CORE B--------------------------------------

interface Vlan8

description * 8th Floor *

ip address 172.20.14.3 255.255.254.0

ip pim sparse-dense-mode

standby 8 ip 172.20.14.1

standby 8 preempt

end

interface Vlan11

description * 11th Floor *

ip address 172.20.19.3 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim sparse-dense-mode

no ip split-horizon

standby 11 ip 172.20.19.1

standby 11 preempt

end

interface Vlan50

description **** Voice VLAN ****

ip address 172.20.50.3 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

no ip split-horizon

standby 50 ip 172.20.50.1

standby 50 priority 110

standby 50 preempt

end

Interface Grp Pri P State Active Standby Virtual IP

Vl8 8 100 P Standby 172.20.14.2 local 172.20.14.1

Vl11 11 100 P Standby 172.20.19.2 local 172.20.19.1

Vl50 50 110 P Active local 172.20.50.2 172.20.50.1

Default Route towards firewall is configured on both the switches.0.0.0.0 0.0.0.0 172.20.10.6(Firewall IP)

When i shutdown SVI interface of CORE B of any of ACTIVE vlan, CORE A standby VLAN changes his stat to ACTIVE VLAN and route all traffic towards firewall.Works good when i configured higher prority on CORE B.
But the problem is that when i Shutdown SVI interface of CORE A VLAN which is ACITVE, CORE B changes his stat to ACTIVE but not able to route trafiic and also not able to ping another vlan on CORE A.Not working if give priority to CORE A vlan.

I have also checked uplinks towards my firewall switch and with CDP neighbours command.

I am also attaching small network diagrame for your reference.

As per my knowledge it is routing issue from CORE B, Need your support for above issue

Thanks In Advance.

Bharat Negi · ‎04-23-2012

It is a routing issue in Core B.

rgds/bsn

Dan-Ciprian Cicioiu · ‎04-23-2012

Hi,

Could you tell me your issue is related to :

- local vlans ( intervlan routing )

- traffic from local vlans through the firewall

- both

I can see that currently you have vlan 8 and 11 Active on Core A , and vlan 50 Active on Core B. Do you have this issue with vlan 50 ?

Can you paste from both Cores:

show ip route 0.0.0.0

ping 172.20.10.6

Regards

Hardik Pithadia · ‎04-24-2012

Hi,

My issue is when i shut the active vlan on core A, Core B take the active stat but host on that perticular vlan not able to ping to internet, firewll ip and another vlan configured on core A

Issue is with VLAN that are configured as active on Core switch A

I have attached the word doc. that will clear the doubts u have.

Thanks in Advance

Dan-Ciprian Cicioiu · ‎04-24-2012

Hi,

Nice output file.

Is the traffic from VLAN26 is ok, when the HSRP Active is CORE-A ?

On what vlan resides 172.20.10.6 ? You should have HSRP on this vlan Between A and B and the firewall should route the internal traffic to the HSRP address.

Please paste the routing table of the firewall. If it's not posible , check the next-hop for 172.20.12.128/25.

Dan

Hardik Pithadia · ‎04-24-2012

Hi DAN,

yes traffic from VLAN 26 is ok when HSRP is active on CORE A. Sorry to say that it is not possible to paste routing table firewall b'coz i dont have access.

Can you make me understand what you are saying about

"On what vlan resides 172.20.10.6 ? You should have HSRP on this vlan Between A and B and the firewall should route the internal traffic to the HSRP address."

"check the next-hop for 172.20.12.128/25."

sorry but i didnt get you on above statements

regards,

hardik

Hardik Pithadia · ‎04-24-2012

Hi,

another query is why intervlan is not communicating when i shutdown any active interface vlan on core A.......?

example :- if i shutdown interface vlan 26 on core A then core B becomes the active vlan but from core B i am not able to ping firewall ip address and another vlan interface on core A.

Dan-Ciprian Cicioiu · ‎04-24-2012

Could you paste the interface vlan config of the both Cores for the vlan that has the IP 172.20.10.0 .

Dan

Hardik Pithadia · ‎04-24-2012

Hi Dan,

As you required PFA word file containing the interface vlan config of ip 172.20.10.0.

Thanks & Regards,

Hardik

Bharat Negi · ‎04-24-2012

Hi Hardik

Try this

For VLAN 26

1. Remove preempt commands from both Core switches

2. Make VLAN 26 HSRP active on Core B (by making VLAN26 shut on Core A)

3. Unshut VLAN 26 Core A

4. Ensure VLAN26 is UP (not in SHUT state) on Core A

5. Then try to ping FW/internet/other VLAN IP from end machine

Regadrs

Bharat

Dan-Ciprian Cicioiu · ‎04-25-2012

Hi Hardik,

Thank you for the output.

First of all:

"another query is why intervlan is not communicating when i shutdown any active interface vlan on core A.......?"

this is an expected behaviour. Why ? Your core switches are using only a static route toward the Firewall. In a normal functioning both of them have as conncted all the vlans, so they can forward traffic on direcly connected interface.

When you should down a SVI ( interface vlan ) on core A, it will not be able to route the packet back on Core B, because there is only a default route. The simplest solution is to run a dinamyc routing protocol between A and B , let's say EIGRP , and to redistribute connected , this way if any of the cores looses a SVI , it will receive the prefix via the routing protocol.

Core A

router eigrp 1

no auto

net 172.20.10.2 0.0.0.0

redistribute connected

Core B

router eigrp 2

no auto

net 172.20.10.3 0.0.0.0

redistribute connected

Edited : Regarding the internet problem , it related to the same issue, the HSRP active is Core A , and all the packets from the firewall back to the internal networks, are routed to the Core A, and if you should down the SVI on Core A then it will route back the traffic to the firewall.

My opinion is that the routing protocol solution , will solve your issues.

Dan

Dan-Ciprian Cicioiu · ‎04-25-2012

I edited my last post !

Dan

Hardik Pithadia · ‎04-25-2012

HI Guys,

@ Bharat Negi ----- Thanks for your reply. I tried the same but still it is not happening.

@ Dan ------- Thanks for solution but does that mean I have to run EIGRP for all VLANs ?

Thanks & Regards,

Hardik