We'd like to implement redundancy in a network.
We'll use 2 Layer 3 switches, 3 Layer 2 switches and 2 routers connected to 2 ISPs.
Here attached the structure we'd like to implement.
HSRP and routing intervlan have been configured on the 2 layer 3 switches using standby ip on SVI.
We don't know what configuration to use when connecting routers to Layer 3 switches so that there's redundancy.
How do you get your default routes? Do you run any routing protocol to your ISP?
There are two options for you,
you could run a routing protocol between all routers and the layer 3 switches
you could run HSRP on the routers using tracked objects.
The tracked objects could track state of your outgoin interface or could ping an external IP address using ip sla ( or rtr commands)
let me know if this makes sesnse and if u need more help
Just to clarify a bit more on the second option.
Use 2 hsrp groups on each router corresponding to the internal interfaces. Use default statics pointing to the virtual address (of the routers) on the 3750s.
We've tried configuring HSRP (but without track at first) on routers and we wish to use it if problem's resolved.
We tested HSRP on routers with just pcs and one switch without any configuration on it.HSRP on routers works.
When we're going to connect the 2 layer 3 switches to routers, we don't know how to configure interfaces on switch.
2 interfaces of each switch will be connected to the 2 routers and will have same network address.
We tried to put it on same vlan (VLAN 10), pcs on other vlans can't ping internal router interface.
VLAN 10 can ping the real ip address of other vlans but cannot ping the virtual ip address.
pcs on other vlans can ping each other.
We also tried to give ip address for the 2 interfaces of layer 3 switch, we put them in "no switchport" mode, the problem is that there's overlaps (2 differents interfaces on same subnet).
How to configure switch interfaces when connected to routers so that all vlans can reach router interface?
Use different subnets on the 3750s connecting to both routers.
So the config will b roughly as below
Router A connects to isp1 and is above 3750-1
Router b connects to isp 2 and is above 3750-2
Assign a new vlan say vlan 60 on 3750-1. Both uplink interfaces on this switch to router a & b will be in this vlan.
Assign IP address 172.16.1.3/29 (example) to int vlan 60 in 3750-1
Assign IP address 172.16.1.1/29 on router A connecting to 3750-1 and 172.16.1.2/29 on router B connecting to 3750-1
Use standby group 10 and assign virtual IP address as 172.16.1.4. Also use the track feature.
On 3750-1 apply
ip route 0.0.0.0 0.0.0.0 172.16.1.4
Do the same on 3750-2 with another new vlan =70 & the two routers with a new range say 172.16.2.0/29, and a new hsrp group ID. apply the static
ip route 0.0.0.0 0.0.0.0 172.16.2.4 (assuming u assigned 172.16.2.4 as the virtual IP on new group)
This should resovle ure issue.
Here attached the config we use for the moment.Would you like to tell if there's something wrong on it?
- We noticed SwitchB is always active as long as there's a link to switchB. We tried to disconnect all cables to switchB except the cable between the 2 layer3 switches, SwitchB remains active but there's no route to the outside.
How can we avoid it?
On switchA, we got :
04:03:52: %HSRP-6-STATECHANGE: Vlan2 Grp 2 state Standby -> Active
04:04:33: %HSRP-6-STATECHANGE: Vlan2 Grp 2 state Active -> Speak
and when we launch "show standby", switchA is in standby state and switchB in active state.
- What should we use for interfaces between layer3 switches, a trunk or should we give it an ip address?
vlans on one access switch will be also used on other access switches.
There was no switchport on these interfaces before and we couldn't ping pcs on internet but we could have switchA active and switchB in init state.
- 2 switches are now on vtp server mode. Should we put one as vtp client or let them both as vtp server?
There's one vlan only used on one of each switch (for connection to the routers).
- About route on routers, what should we use.We've put 2 ip routes to LAN. it takes few secondes for ping to reply when there's failure (not fast enough).
Donot use the same standby group on both interfaces of the same router.
Are the speed setting correct, I noticed the switch is Fastethethernet while the router is just ethernet.
& What is the default route on the routers doing ? They are pointing down to the switches!!! Why would you do this?
More advancded topics for ensuring correct nat is including nat in ure hsrp groups, so that nat tables are synchronised between routers (im not sure of the suitability for that here, worth a try)
Thanks for your reply.
standby group has been changed.
We use many vlan on switch and now, we also use different standby group for each vlan.
Yes, the switch is Fast and switch ethernet.We didn't configure the speed, we have
Gi1/0/23 to RouterB connected 100 a-half a-10 10/100/1000BaseTX
Gi1/0/24 to RouterA connected 100 a-half a-10 10/100/1000BaseTX
About the default route, it's the switch ip address (for vlan connected to the router).i know we should have use internet router as default route and put LAN's network address there instead of 0.0.0.0 but it's just for lab.Here attached the diagram (hsrp_lab.JPG).
Thanks for informing about using nat with hsrp group, we need it later when configuring nat-static mapping.
Our main problem is switchB. it's always active even if cables are disconnected.
When you look at the attached diagram, cables marked with X are disconnected and yet, the state of switchB is still active.In this case, we can't ping anymore to the outside (PC NET on the diagram), there's no route.
the state of switchA changed from :
Standby -> Active -> Speak
and with sh standb, we have :
Vlan2 - Group 2
State is Standby
Here attached the output of debug for more detail.
To avoid this situation, we thought of using "standby 2 track g1/0/1 200" on switchB but it seems impossible, many 2950 switches will be connected to switchA and switchB.
is there anyway doing this ?
The reason switch B is always active is because the configuration asks it to be. From your configuration
Switch B (3750) :
ip address 192.168.2.3 255.255.255.0
standby 2 ip 192.168.2.2
standby 2 priority 202
standby 2 preempt
ip address 192.168.2.1 255.255.255.0
standby 2 ip 192.168.2.2
standby 2 priority 102
standby 2 preempt
As seen above, switch B has higher priority. It will always remain active, as long as it can communicate with Switch A. And from your diagram, Switch B always has trunk connections to switch A, even if it is through layer 2 switches in the bottom. To avoid this situation, you need to understand what you want to track and configure accordingly. ie, track uplink interfaces and then failover accordingly.
so on switch b , you would track fa1/0/23 & fa1/0/24.
Regarding the speed issue, manually set the switch end to full duplex, speed 10 and on the router, set duplex to full.
Let me know how you get on
Also remember that redundancy can goto multiple levels, You have to decide at what level you will stop (basically when cash or efforts are exhausted ). It is unlikely that you will have multiple cable failures or multiple router failures.
Is it possible having SwitchB to become standby for pcs connected to 2950 when there's cable failure between SwitchB and the 2950?
or does it seem ridiculous? :D
Our reason is that traffic will pass through 2 3750 switches in the case above, instead of only one.
Do we need to track interfaces as much as the number of 2950 connected to 3750 or is there another method?
In the configuration we were discussing , traffic would only pass through one 3750, whichever is master for that vlan(by hsrp priority). Can you please explain why you think traffic would pass through both 3750s?
yes, it's still using the diagram and config posted.
We've tested with one 2950 connected to the 2 3750 first.
as cable between switchB and 2950 is disconnected, there no way for PCs connected to 2950 to go to switchB.
The only connection between 3750 and 2950 is the connection to switchA, so all traffic from 2950 will pass through switchA before going elsewhere.
SwitchB is active, it will forward traffic to the router.
Traffic will pass from switchA to switchB via the trunk between them and reach router.
We've tried disconnect this trunk connection to see if traffic really use it.
When trunk is disconnected, switchA becomes active and ping to PC_NET doesn't respond during few seconds, time switchA's really active.
Did we wrongly interpret the result?
Sure you can. You can track any interface.
But I dont understand why you need to do it. Suppose a 2950 to switchb cable fails. You want the active gateway to be switch A now. Is that right? If you do it this way, even for the failure of one link between one 2950 and switch B, you will have the primary gw address moving from switch b to switch a for all the rest of the 2950s as well. Do you need this?
Thanks for your reply.
We'll use hsrp and track link to routers.
Should 2 3750 be vtp server or one should be client?
One more question, in our case, does one of the isp stay in standby as long as one is active ?
if so, is there a way to do that 2 isps will work together?
If you're using 3750s, suggest you stack them. If you do, you wouldn't need to use HSRP, although you still could. If supported on the 2950s, channel your two uplinks, one link to each 3750.
Route between the stacked 3750s and the WAN routers. Retain the dual links, again one to each 3750.
Orginate a default route from each WAN router when it has a good ISP connection.