Solved

HSRP question

Posted on 2016-08-15
13
34 Views
Last Modified: 2016-08-23
Refer to diagram.  Can you configure HSRP between service switch 1 and service switch 2 if they aren't connected..?  The connection from the service switch to cores are L3.  Service switch to DMZ are L2.  Service switch to WLC is L2 portchannel.  


Diagram
0
Comment
Question by:PeraHoman
  • 7
  • 5
13 Comments
 
LVL 13

Expert Comment

by:SIM50
ID: 41756963
Yes, you can. It would have to be configured under L3 interfaces.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41757943
Can you give more details?
The way question is written I am not sure that I understand what you want to achieve - and what is the purpose of HSRP here.
0
 

Author Comment

by:PeraHoman
ID: 41757975
I'm wondering if it is possible to configure HSRP (8 standby groups - VLANS) between the service switches with this setup?  Doesn't there need to be a L2 connection between the service switches?  Will traversing through the DMZ as L2 trunk allow HSRP to work (See below)?

If the L2 connection through the DMZ works, the issue I have with that is only 4 of the 8 VLANS are trunked from the service switch through the DMZ, so I'd have to add the rest of the VLANs onto the trunk for HSRP for the rest of them.

Service Switch 1
VLAN 1-8
HSRP 1-8, priority 120

-Connection to core is L3 routed link
-Connection to DMZ is L2 trunk (only VLAN 1-4 allowed now)

Service Switch 1
VLAN 1-8
HSRP 1-8 priority 110

-Connection to core is L3 routed link
-Connection to DMZ is L2 trunk (only VLAN 1-4 allowed now)
 
DMZ Switch

Connection to both service switches is L2 trunk (only VLAN 1-4 allowed now)
0
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 500 total points
ID: 41758063
If you have VLANs between those switches through DMZ switch (picture below), sure you can do that.
Few details that are required for HSRP:
- Switches (routers) must be able to communicate with each other
- IP address range must match
- The same version of HSRP for specific "ip range" (in your case VLAN) must be used on both devices (can't mix v1 with v2 in the same VLAN)

So if those 3 requirements are met, you should be able to use HSRP.
If I understood you well, this is what you plan to acheive. Red line is, let's say, VLAN through DMZ switch and connecting switches to each other.
 
Is this your plan?
This is plausible  scenario.
0
 

Author Comment

by:PeraHoman
ID: 41758074
Your diagram is correct, but only 1-4 will be trunked through the DMZ.  Will HSRP work if for VLAN 5-8 since there is no L2 connectivity?  The reason is because we are restricting 5-8 in the DMZ.
0
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 500 total points
ID: 41758107
Can work if you have L3 connectivity between those specific addresses. If devices cannot reach each other you will have split brain situation and both switches will claim that they own virtual IP address, and you do not want that. If you want native load balance consider GLBP.
You can create specific rules on DMZ (access list that will permit only some specific IP address to communicate) or something similar.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:PeraHoman
ID: 41758356
So, HSRP doesn't require a L2 connection between them?
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41758400
   No, not strictly, but do not forget that IP addresses must be in the same subnet, so typically you need will have L2 device between devices, but not VLANs (so if you can get around that limitation problem solved). If you use subinterfaces you will again have to use dot1q, so - VLANs (not to mention discontiguous network problem in that case). But, you can configure HSRP on L3 interfaces, but, on the other hand,it can be also considered as native VLAN.
   Also if you do not have L2 connectivity how you will forward packets? Typically, floating static route with IP SLA or dynamic routing is used for that purpose.

   PS
   I forgot above, HSRP group must match. :)
0
 

Author Comment

by:PeraHoman
ID: 41758614
Ok, to end this, the devices that participate in HSRP do not have to be physically connected, just reachable via L2 or L3.  

Example:

-  The core 1 and core 2 are connected (2 connections between them) and HSRP will work. (typical setups I've seen)

-  Service switch 1 and service switch 2 are not connected but HSRP will work because but are connected via L3 (Service switch 1 -- Core 1-- Core 2 -- Service switch 2) VLANs 1-8 will work here.  
As well as L2 (Service switch 1 -- DMZ switch -- Service switch 2) and HSRP will work for VLANs 1-4 ONLY because DMZ switch only has VLANs 1-4 and not VLAN 4-8 on switch/trunk.  


I haven't done a setup where the HSRP was configured between two devices that weren't connected so I wasn't sure if HSRP was going to actually work.
0
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 500 total points
ID: 41758803
I haven't done a setup where the HSRP was configured between two devices that weren't connected so I wasn't sure if HSRP was going to actually work.
Looks like I am not explaining it well enough.
The thing is no one do this and I do not think is good practice at all (it will create a lot of mess - best case scenario!!!). You do need to have some L2 connectivity in the end (e.g tunnel) even if devices are not physically connected, but not  strictly VLAN (although it can be consider some type of VLAN in the end). What is the purpose of HSRP? To advertise MAC address for non existing IP address, so basically you need to end up with advertising MAC address for IP address and MAC address is not propagated further than the next router. So, you need to stick with L2, that's why I said that it is not scenario for HSRP. I do not see the point of using HSRP in that situation some other scenario should be used.
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41758837
Example of using HSRP without VLAN where it is valid design:

HSRP
R1
interface FastEthernet0/0
 ip address 10.0.0.3 255.255.255.0 secondary
 ip address 192.168.0.3 255.255.255.0
 standby 1 ip 10.0.0.1
 standby 2 ip 192.168.0.1

Open in new window


R2
interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.0 secondary
 ip address 192.168.0.2 255.255.255.0
 standby 1 ip 10.0.0.1
 standby 2 ip 192.168.0.1

Open in new window

So it is not strictly VLAN, but it is a kind of VLAN (native VLAN - no tagging), L2 connectivity is needed for HSRP to work properly.
L2 tunnel can provide the same functionality (allow HSRP to work properly) on not physically connected devices, but what would be the point of that scenario?
0
 

Author Comment

by:PeraHoman
ID: 41759545
I think we're on the same page, but it still goes back to my question to VLAN 5-8.

HSRP will be configured onto the VLAN interfaces of VLAN 1-8.  I didn't details VLAN 1-4 below, but I know HSRP will work for VLANs 1-4 because they have L2 connectivity through the DMZ via trunks.  They're wanting HSRP for VLANs 5-8 as well, but there isn't L2 connection for these VLANs 5-8 because the only VLANs 1-4 are allowed on the trunk to the DMZ switch.

Having a trunk between the service switches would make HSRP work for VLANs 5-8, and to make it short I know this isn't done normally.  I want to know if HSRP will or will not work correctly for VLANs 5-8 in this scenario since there is no L2 connection between them.  It was mentioned that it may work through the routed link to the core, but I don't think this is true since it needs L2?  

I appreciate the input.

 Drawing1.png
Service Switch 1

**Assume the rest of the L2/L3 VLANs and HSRP are created and configured correctly**

interface Vlan5
 ip address 10.148.58.2 255.255.254.0
 standby 982 ip 10.148.58.1
 standby 982 priority 110
 standby 982 preempt delay minimum 30

interface TenGigabitEthernet3/1
Description L2-Guest-Traffic to DMZ-Switch, , Te3/1
switchport trunk encap dot1q
switchport mode trunk
switchport allowed vlan 1-4 (VLAN 5 not allowed)
switchport nonegotiate
spanning-tree portfast trunk
no shut


Service Switch 2

**Assume the rest of the L2/L3 VLANs and HSRP are created and configured correctly**

interface Vlan5
 ip address 10.148.58.3 255.255.254.0
 standby 982 ip 10.148.58.1
 standby 982 priority 90
 standby 982 preempt delay minimum 30

interface TenGigabitEthernet3/1
Description L2-Guest-Traffic to DMZ-Switch, Te3/2
switchport trunk encap dot1q
switchport mode trunk
switchport allowed vlan 1-4
switchport nonegotiate
spanning-tree portfast trunk
no shut


DMZ Switch

interface TenGigabitEthernet3/1
Description L2-Guest-Traffic to Service Switch 1
switchport trunk encap dot1q
switchport mode trunk
switchport allowed vlan 1-4 (VLAN 5 not allowed)
switchport nonegotiate
spanning-tree portfast trunk
no shut

interface TenGigabitEthernet3/2
Description L2-Guest-Traffic to Service Switch 2
switchport trunk encap dot1q
switchport mode trunk
switchport allowed vlan 1-4
switchport nonegotiate
spanning-tree portfast trunk
no shut
0
 
LVL 26

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 41760528
Vlan 5 will not function properly without L2 connection of some type. IP addreses are in the same subnet, so default gateway will never be used to forward traffic (not sure, but I think that hsrp packets are not routable). But since there is no l2 connectivity can be used L2 bridging over L3 network if network equipement supports it. Cisco L2 over L3
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now