Failover config

Hello,

I have a question in regards to HSRP and IP SLA.  What would be the difference if I implemented HSRP between the DSW1 and DSW2 instead of IP SLA on ASW1 and ASW2 for failover? Please see attached image.

IP SLA with tracking would tract my interfaces and if "down" it would failover to the other switch, isn't that what I would get from HSRP?
What would be the better case? HSRP or IP SLA with failover?
I will have EIGRP configured on the switches.
hsrp-nuggets.jpg
LVL 3
Shark AttackNetwork adminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
I don't know your full topology in details, and on picture are L3 switches, so usage of HSRP and IP SLA with tracking depends on your implementation.

If you configure EIGRP on switches then you don't have need for IP SLA with tracking, EIGRP will perform the same job as IP SLA with tracking, EIGRP will dynamically change routes in routing table on all devices if network topology is changed.

HSRP you need on DSW1 and DSW2 only if your VLANS from ASW1 and ASW2 are extended to DSW1 and DSW2, or at least DSW1 and DSW2 have same VLANS. HSRP changes MAC address of default gateway IP address, so that is referred to L2 topology.

If you use EIGRP everywhere (on switches and router), and VLANS are not extended between switches - in that case EIGRP is sufficient, no need for HSRP or IP SLA with tracking.

So, like I already wrote usage of EIGRP, IP SLA and HSRP depends on actual implementation.
However, you still have single point of failure - Router R4.
Shark AttackNetwork adminAuthor Commented:
If you look at the below image, it's my actual structure that I will be implementing.  EIGRP will be on all switches in the image including the Access layer switches which are L3's as well. Anything above SW1 and SW2 will run static routing.

SW1's interface to Primary ASA has different IP then the SW2's interface to backup ASA. So will EIGRP be sufficiant enough in this topology since I have 2 different ISP's and different IP schemes between the primary and backup ASA and router?

Here is what I want to accomplish:

1. I want SW3 and SW4 to re-route it's self in case SW1 or SW2 fails to it's respective switch. For ex. if SW1 fails, traffic will get re-routed to SW2. I am assuming this will actually be done via EIGRP at this particular stage.

2. If SW1 fails, I want traffic to get routed to SW2 and back to Primary ASA instead of Backup ASA. How would I accomplish that? IP SLA with tracking? HSRP?

3. If Primary ASA fails, traffic gets re-routed from SW1 to Backup ASA. How would I accomplish that? IP SLA with tracking? HSRP?


Also, one last thing, SW1 is a primary Switch, it has all VLans and it's IP's configured, I am running VTP, when I go to SW2 or SW4 for example, and I do show int vlan 5 let's say, its shows UP and UP but no ip address of the vlan is displayed (which is normal) But what happens if SW1 shuts down, all vlans show up and up but I am unable to ping any vlan.  how could I ocnfigure vlans on another switch like SW2 so that if SW1 shuts down, I still have functional Vlans everywhere else?

thank you!

2015-04-24-9-28-09.jpg
Craig BeckCommented:
Looking at this quickly I'd probably do IP SLA at SW1 and SW2, using Primary ASA as the default route, switching to the Backup.  The rest can be left to EIGRP.

You can't do HSRP between SW1 and SW2 (not nicely anyway) because you don't have a layer-2 link directly between them.  You'd have to use a trunk via the distribution switches if you really wanted to do it but that may not be possible if the links between core (SW1 and SW2) and distribution (SW3 and SW4) are purely routed links.  The same can be said for the distribution<->access links.  I'd only use HSRP where I can't manipulate routing (or where you can't directly dynamically influence routing at the adjacent devices), or where layer-2 is the only option.

If SW1 fails, EIGRP will tell SW3 and SW4 to use SW2 as the only candidate for unknown (external) routes.  SW2 will know that the Primary ASA is still up and will route all internet-bound traffic that way.  The same can be said for a failure at SW2, but obviously SW1 is the only candidate for external routing.

If the primary ASA fails SW1 will drop the default route to the primary and send traffic to the backup ASA.  SW2 will do the same.  When the primary ASA comes back IP SLA will reinstate the original route via the primary ASA.

The access switches just need to use EIGRP.  They only have 2 route choices and it would probably be a good thing to just let EIGRP do ECLB (enabled by default on equal-cost routes).  That provides redundancy and load-balancing straight from the off.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

JustInCaseCommented:
1. I want SW3 and SW4 to re-route it's self in case SW1 or SW2 fails to it's respective switch. For ex. if SW1 fails, traffic will get re-routed to SW2. I am assuming this will actually be done via EIGRP at this particular stage.
Yes, EIGRP can do that for you.
2. If SW1 fails, I want traffic to get routed to SW2 and back to Primary ASA instead of Backup ASA. How would I accomplish that? IP SLA with tracking? HSRP?

3. If Primary ASA fails, traffic gets re-routed from SW1 to Backup ASA. How would I accomplish that? IP SLA with tracking? HSRP?
Since you are using EIGRP in your network everywhere, there is one more problem left to solve here - problem how to advertize default route, so that other switches in network can send traffic to internet.
I guess that SW1 and SW2 can both advertize default network, and when packets reach to SW1 or SW2 static route with tracking will do it's job, or this can be achieved by redistributing default static routes on SW1 and SW2 (or perhaps route maps).
Also, one last thing, SW1 is a primary Switch, it has all VLans and it's IP's configured, I am running VTP, when I go to SW2 or SW4 for example, and I do show int vlan 5 let's say, its shows UP and UP but no ip address of the vlan is displayed (which is normal) But what happens if SW1 shuts down, all vlans show up and up but I am unable to ping any vlan.  how could I ocnfigure vlans on another switch like SW2 so that if SW1 shuts down, I still have functional Vlans everywhere else?
But, here is where I am confused.
You have VLANs everywhere and you have EIGRP everywhere??? Does this mean that you are using EIGRP to detect failing switch and nothing else??? EIGRP is L3 protocol, VLAN is L2.
I guess the simple logic should be where VLAN ends, EIGRP begins.
For detecting failing switch (or port that is connecting two switches) you do that by EIGRP if you have L3 topology in your network, or you do that by STP, RSTP or MSTP if you are using L2 topology in your network.
EIGRP or STP (RSTP, MSTP) will automatically find alternate path but don't forget that with STP you have 30 sec timeout by default if topology changes, so if you have newer switches use RSTP or MSTP (or you need to tune STP).
Shark AttackNetwork adminAuthor Commented:
I dont have EIGRP running in the whole network. I only have EIGRP in the switch infrastructure. I have over 100 tunnels on the asa above the switches, I dont want to implement EIGRP to the firewalls because I dont want EIGRP to go over the tunnel and create issues. I dont even care about EIGRP, I dont even need to implemented, my main concern is if SW1 fails, then it's over no matter what I have. SW1 is running vlans as a server switch, if it drops, I have absolutely no network connectivity. Anything below SW1 and SW2 is using vlans across all switches for communication. there are no L3 ports there.
JustInCaseCommented:
I dont even care about EIGRP, I dont even need to implemented, my main concern is if SW1 fails, then it's over no matter what I have. SW1 is running vlans as a server switch, if it drops, I have absolutely no network connectivity.
In that case you can configure HSRP on SW1 and SW2, so if SW1 fails, the other switch will be become default gateway for all VLANs.You need to track availability of internet and internal network from SW1 and SW2 so if one of interfaces fails or becomes unavailable SW2 can take over SW1 functions. You Can even do some load balancing with HSRP -  You can give priority that VLAN 1 - 10 have higher priority on SW1, and VLAN 11 - 20 have higher priority on SW2 (if you want to do that anyway).

It is also good practice to set delay on restoring priority after internet connection is restored (or in case that you have flapping interface, or router restarts).

Config of HSRP and IP SLA with tracking to decrement priority
(config)# interface VLAN 1
(config-if)# ip address 10.0.0.2
(config-if)# standby ip 10.0.0.1
(config-if)# standby priority 120
(config-if)# standby preempt delay min 60
(config-if)# standby track 1 decrement 30
(config-if)# exit

(config)#ip sla 1
(config-ip-sla)# icmp-echo 8.8.8.8 source-interface FastEthernet4
(config-ip-sla-echo)# timeout 5000
(config-ip-sla-echo)# frequency 3
(config-ip-sla-echo)# threshold 700

(config)# ip sla schedule 1 start-time now life forever

Open in new window


Point here is to set default gateway to virtual IP address 10.0.0.1.
If internet is unavailable priority will be reduced by 30, and if SW2 has HSRP priority higher or equal to 91 and HSRP is set to preempt - SW2 will become default gateway.
Craig BeckCommented:
You said earlier even access switches run IP routing.  
EIGRP will be on all switches in the image including the Access layer switches which are L3's as well.

Now you're saying it's L2 down to the access-layer.  
Anything below SW1 and SW2 is using vlans across all switches for communication. there are no L3 ports there.

Which is it?
Shark AttackNetwork adminAuthor Commented:
alright, HSRP with IP SLA will do. Thats what I thought, I just needed to confirm.
Shark AttackNetwork adminAuthor Commented:
all the switches, SW1, 2, 3 and 4 are all running  VLANS accross, including the access layer switches. Everything above SW1 and 2 will be have L3 routing. no vlans there. I dont know, maybe I mistyped.
Craig BeckCommented:
So why extend the VLANs all the way up to SW1 and SW2?  Why not just use a traditional core-dist-access model and route between core-dist?  HSRP at each SVI at SW3 and SW4 will provide redundancy for access VLANs but you'll need a L2 link directly between SW3 and SW4 for it to be efficient.  That way you still use IP SLA as I explained earlier and the dist switches get dynamic routing from EIGRP.
Shark AttackNetwork adminAuthor Commented:
can you explain?

- so, i should have L3 links between the core and dist switches?
- keep vlans only on dist. and access switches
-connect sw3 and 4 together for HSRP
- on SW3 and 4 I have 2 going to each sw1 and 2, I put those two links on a native vlan so I dont have to use different subnets. If I do routed ports, I would need to use 2 different subnets. for ex. SW1 native vlan is 100.1 SW2 is 100.2 SW3 100.4  I use trunks across routing via the native vlan.

Could you explain or draw out a map showing what I should do? thanks
Craig BeckCommented:
Sure, but first can you tell us what the intended purpose of each switch (1-4) is, from your perspective?  Are you looking at SW1 and SW2 as core switches and SW3 and SW4 as distribution switches, or are you looking at SW3 and SW4 being the cores and SW1 and SW2 being simple switches to connect the ASAs to SW3 and SW4?

Or something else??
Shark AttackNetwork adminAuthor Commented:
So, my current network is this, (before i implemented SW2 and SW4)

SW1 as a Core and SW3 as distribution switch and then the Access layer switches below. The issue is, I have no failover whats so ever, if the core switch goes down, I have nothing in terms of backup to the ASA's out to internet. Same thing to Dist. switch, if it fails I have no failover to Core switch.

 So, I added SW2 which serves as back up to Core(sw1) and I added SW4 which is back up to SW3, So now I have full redundancy out to the firewalls, SW2 and SW4 serving as backup to their respective switches. SW2 and SW4 never existed, I added them to the mix.

I crisscross connected them as you see in the above image. I thought that would give me perfect redundancy scenario. So, SW3 and 4 are distribution switches, and SW1 and 2 are my core. I can implement this anyway I like, L2 and L3 links, EIGRP, HSRP with IP SLA. I just dont know how I should mix these up and at which layer(core?dist?
Does that help?
Craig BeckCommented:
If you just added SW2 and SW4 I'd probably say you don't really need them.  A collapsed-core model would be simpler.

Let's say we get rid of SW1 and SW2 in your diagram to make it easy to depict.  You're left with a collapsed-core right there.  SW3 and SW4 would be core switches.  We could rename them SW1 and SW2.  Connect your ASAs to SW3 and SW4 just as you have to SW1 and SW2.

That gives you this:

Collapsed-core Diagram
The link between the two cores lets you run HSRP for all of your VLANs.  You configure SW1 with the highest priority so it does all the routing ordinarily.  The links down to the access switches are L2 so STP will block the second uplink from each access switch to SW2 if you configure SW1 to be the root for all VLANs and SW2 the secondary root.  EIGRP doesn't need to be used at all then; you simply use static routes up to the ASAs and configure IP SLA to track via the primary ASA on each core.  You should run L3 links between each ASA and each core, giving you 4 separate subnets.  /30 addresses would be fine for this.

You'd probably also need to configure IP SLA at the ASAs too, pointing to a loopback address at the primary.  If the loopback disappears the ASA would route via SW2.  This would cover you if SW1 stayed up but the link between SW1 and ASA1 failed.
Shark AttackNetwork adminAuthor Commented:
this looks whole lot cleaner and makes more sense to do. Seems like I had an overkill previously.

SW1 is a core SW and it has all VLANs running, and configured as server for VTP, if thats witch shuts down, do I still have connectivity between all vlans? i initially thought, since SW1 is configured with all the vlans and its respective IP address that once the switch goes inactive, there in no routing or this is something HSRP will help me with?
Craig BeckCommented:
You'll need all VLANs at both cores.  You'll also need an interface (SVI) for each VLAN at each core.  This will let you run HSRP betwen the two cores.  That eliminates the need for routing between the two cores.  Adding the layer2 link between the cores lets STP kill the link to SW2 and bring it back up automatically if SW1 fails.

So, you just need static routing and IP SLA to get the ASA bit sorted.  HSRP will provide the redundancy for clients if a core dies.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shark AttackNetwork adminAuthor Commented:
this is awesome. thanks man!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.