Avatar of RAMU CH
RAMU CH
Flag for India asked on

cisco HSRP loadbalancing topolgy

My recommended topology sceanrio as follows :
                       
                                                         Internet
                                                            |
                                                            |
                                                       Internet Router
                                                             |
                                                     Fortigate Firewall
                                                             |
                                                        Access  -  sw
                                                       /                    \
                                                   Core-sw-1---------  core-sw-2
                                                 /                             \
                                               Dist-sw-1 ----------- Dist-sw-2
                                            /           \                     /            \
                                    Access-1     Access-2         Access-1  Access-2
                                       |                   |                      |                |
                                   VLAN10        VLAN 20       Vlan 30      VLAN 40


I hope , the above topogy is undersandble and giving short note on the above scenario

1) In this project we are using one cisco 1900 series router as internet router
2) Fortigate firewall is a Internet firewall
3) Two core-sw as 4506 series and two  3750-X as distribution and 2960S switches as access
4) There is a cross connectivity between distribution -1 to core-sw2 and distribution-2 to
     Core-sw-1 ( Not shown in Above diagram)
    There is connectivity between distribution switches ( shown in diagram)
5) Each access-sw is in each vlan and connected to distribution , end devices are connected to access-switches

                                                           Requirements :

1) HSRP configuration including Loadbalancing for each VLAN means some vlans
    Core-sw-1 is active and core-sw-2 is standby and viceversa

2)  If we go to  HSRP-Loadbalancing , How to configure VTP , can we configure two core-switches as server mode then  how it works if core-switch-1 fails how the vlan database reflects in other core-switch-2

3) How to configure STP , can we configure Core-Sw-1 as a Root bridge for some vlans and
    Core-Sw-2 as root bridge for a remaining vlans , How core-sw-2 will become a Root bridge for the vlans are through Core-sw-1 , if core-sw-1 gets down

4)  How the redundancy will be happen , if one core-sw-1 goes down how the repspective vlans traffice will turn through Core-sw-2

5) How the VTP database will be reflected in Core-sw-2 if Core-Sw-1 gets down

6) will do intervlan in Distribution switches , is it ok? , can we make distribution , access switches  as a client mode in VTP configuration , i think it wont give any issues , so that
VLANs configure in Core-Switches will be reflcted in each distribution / access-switches


Pls provide a solution for the above and suggest your comments

Regards
Ramu
Switches / HubsNetwork ArchitectureNetwork Operations

Avatar of undefined
Last Comment
RAMU CH

8/22/2022 - Mon
mikebernhardt

1. I never use VTP. It saves some administration but adds a lot of risk and potential instability. Even Cisco has, at least at times, said to avoid it as a Best Practice. Set them all to VPT transparent and configure the vlans you need, only where you need them. This will eliminate many of your questions.

2. Normally in a heirarchical model, the distribution switches are Layer 3. In your case, it sounds like they are Layer 2 only.  I would eliminate the distribution switches and dual-home all of the access switches if you can. Having them only adds complexity and a lot of loops that STP has to resolve (also if you're using VTP, every vlan is on every switch and since you have a separate spanning tree for each VLAN, the problem is multiplied).

3. With the access switches dual-homed to the core switches, everything becomes much, much simpler. Configure all vlans on both core switches. If you want to load-balance your HSRP, that's fine and very commonly done. However, I would use standby tracking and track the interface that connects toward the internet. That way if the link to the internet goes down on one switch, HSRP will switch over to the good core switch.
mikebernhardt

Regarding vlan configuration: Both core switches have all vlans. Set up the spanning tree root to the same switch as your HSRP active. Acces switches only get the vlans they need. Configure trunk ports so that they only carry the vlans required. All of this makes spanning tree simpler. Also set up Rapid spanning tree on all devices, it fasils over much faster.
mat1458

One thing to mention: the setting of the root bridge on the same switch as the HSRP active switch can lead to flooding situations on the secondary core switch when the return traffic from the firewall is sent towards that switch. For this reason I recommend to set HSRP primary and STP root bridge on different switches.

But one question about the design: If all VLAN are present up to the core why not having the L3 termination in the firewall? This does not add much more complexity and HSRP would not be needed. You then only have STP (or hopefully RSTP) for redundancy purposes.

I agree on VTP: use transparent, then you know what you do and an eventual hardware replacement is easily done. I also agree on the question about the distribution layer. There is no obvious need for it in your environment unless you have geographical/cabling issues that lead to your solution.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
RAMU CH

ASKER
will you provide a sample refference configuration of HSRP VLAN loadbalancing configuration
in a Three-tier netwrok archietecture model like my proposed model

I am also searching in google site but just for getting worked out of the above topolgy

Regards
Ram
mikebernhardt

mat1458: " If all VLAN are present up to the core why not having the L3 termination in the firewall?"  Because if the firewall fails then internal routing also fails rather than just internet access.

ramkanirka:
switch 1
interface vlan 10
 ip address 10.1.1.2 255.255.255.0
 standby ip 10.1.1.1
 standby priority 110
 standby preempt (this tells the primary to take over again when it can)
 standby timers 2 6 (this shortens the timers significantly for faster failover)
 standby track 1 decrement 11
interface vlan 20
 ip address 10.2.2.2 255.255.255.0
 standby ip 10.2.2.1
 standby priority 100
 standby timers 2 6

switch 2
interface vlan 10
 ip address 10.1.1.3 255.255.255.0
 standby ip 10.1.1.1
 standby priority 100
 standby timers 2 6
interface vlan 20
 ip address 10.2.2.3 255.255.255.0
 standby ip 10.2.2.1
 standby priority 110
 standby preempt
 standby timers 2 6
 standby track 1 decrement 11
ASKER CERTIFIED SOLUTION
Vasant Patel

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
RAMU CH

ASKER
see the attached fig:

a) what is configuraiton at r9 , can we make a separate vlan for this and make active core swtich as active and stanby core switch as backup for the vlan in switch r9

b) what is the configuraion at host 3 ( rotuer) , what default gateway should i point menas is it a router 10  inside ip or virtual ip address of the vlan of active/standby

c) if host3 default--gateway is r10  inside ip address then how host 1 (van 10 pc  ) and host 2 (vlan 20) communicates with host3


regards
ramu
HSRP-Topology.png
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
mikebernhardt

a) Is R9 a basic Layer 2 switch or a Layer 3 switch? And is R10 the Fortigate firewall you mentioned at the beginning, or something else? What is the purpose of host 3? Is it supposed to be a DMZ host that is accessible from the internet? All of these questions need to be answered before I can give you an answer to this question.

b) Same questions as above

c) R10 and the core switches have to have correct routing configured for it to work. This is one of the reasons the questions I asked in (a) are important.
RAMU CH

ASKER
Thanks