Solved

HSRP question

Posted on 2016-08-15
13
40 Views
Last Modified: 2016-08-23
Refer to diagram.  Can you configure HSRP between service switch 1 and service switch 2 if they aren't connected..?  The connection from the service switch to cores are L3.  Service switch to DMZ are L2.  Service switch to WLC is L2 portchannel.  


Diagram
0
Comment
Question by:PeraHoman
  • 7
  • 5
13 Comments
 
LVL 14

Expert Comment

by:SIM50
ID: 41756963
Yes, you can. It would have to be configured under L3 interfaces.
0
 
LVL 28

Expert Comment

by:Predrag Jovic
ID: 41757943
Can you give more details?
The way question is written I am not sure that I understand what you want to achieve - and what is the purpose of HSRP here.
0
 

Author Comment

by:PeraHoman
ID: 41757975
I'm wondering if it is possible to configure HSRP (8 standby groups - VLANS) between the service switches with this setup?  Doesn't there need to be a L2 connection between the service switches?  Will traversing through the DMZ as L2 trunk allow HSRP to work (See below)?

If the L2 connection through the DMZ works, the issue I have with that is only 4 of the 8 VLANS are trunked from the service switch through the DMZ, so I'd have to add the rest of the VLANs onto the trunk for HSRP for the rest of them.

Service Switch 1
VLAN 1-8
HSRP 1-8, priority 120

-Connection to core is L3 routed link
-Connection to DMZ is L2 trunk (only VLAN 1-4 allowed now)

Service Switch 1
VLAN 1-8
HSRP 1-8 priority 110

-Connection to core is L3 routed link
-Connection to DMZ is L2 trunk (only VLAN 1-4 allowed now)
 
DMZ Switch

Connection to both service switches is L2 trunk (only VLAN 1-4 allowed now)
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 28

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 500 total points
ID: 41758063
If you have VLANs between those switches through DMZ switch (picture below), sure you can do that.
Few details that are required for HSRP:
- Switches (routers) must be able to communicate with each other
- IP address range must match
- The same version of HSRP for specific "ip range" (in your case VLAN) must be used on both devices (can't mix v1 with v2 in the same VLAN)

So if those 3 requirements are met, you should be able to use HSRP.
If I understood you well, this is what you plan to acheive. Red line is, let's say, VLAN through DMZ switch and connecting switches to each other.
 
Is this your plan?
This is plausible  scenario.
0
 

Author Comment

by:PeraHoman
ID: 41758074
Your diagram is correct, but only 1-4 will be trunked through the DMZ.  Will HSRP work if for VLAN 5-8 since there is no L2 connectivity?  The reason is because we are restricting 5-8 in the DMZ.
0
 
LVL 28

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 500 total points
ID: 41758107
Can work if you have L3 connectivity between those specific addresses. If devices cannot reach each other you will have split brain situation and both switches will claim that they own virtual IP address, and you do not want that. If you want native load balance consider GLBP.
You can create specific rules on DMZ (access list that will permit only some specific IP address to communicate) or something similar.
0
 

Author Comment

by:PeraHoman
ID: 41758356
So, HSRP doesn't require a L2 connection between them?
0
 
LVL 28

Expert Comment

by:Predrag Jovic
ID: 41758400
   No, not strictly, but do not forget that IP addresses must be in the same subnet, so typically you need will have L2 device between devices, but not VLANs (so if you can get around that limitation problem solved). If you use subinterfaces you will again have to use dot1q, so - VLANs (not to mention discontiguous network problem in that case). But, you can configure HSRP on L3 interfaces, but, on the other hand,it can be also considered as native VLAN.
   Also if you do not have L2 connectivity how you will forward packets? Typically, floating static route with IP SLA or dynamic routing is used for that purpose.

   PS
   I forgot above, HSRP group must match. :)
0
 

Author Comment

by:PeraHoman
ID: 41758614
Ok, to end this, the devices that participate in HSRP do not have to be physically connected, just reachable via L2 or L3.  

Example:

-  The core 1 and core 2 are connected (2 connections between them) and HSRP will work. (typical setups I've seen)

-  Service switch 1 and service switch 2 are not connected but HSRP will work because but are connected via L3 (Service switch 1 -- Core 1-- Core 2 -- Service switch 2) VLANs 1-8 will work here.  
As well as L2 (Service switch 1 -- DMZ switch -- Service switch 2) and HSRP will work for VLANs 1-4 ONLY because DMZ switch only has VLANs 1-4 and not VLAN 4-8 on switch/trunk.  


I haven't done a setup where the HSRP was configured between two devices that weren't connected so I wasn't sure if HSRP was going to actually work.
0
 
LVL 28

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 500 total points
ID: 41758803
I haven't done a setup where the HSRP was configured between two devices that weren't connected so I wasn't sure if HSRP was going to actually work.
Looks like I am not explaining it well enough.
The thing is no one do this and I do not think is good practice at all (it will create a lot of mess - best case scenario!!!). You do need to have some L2 connectivity in the end (e.g tunnel) even if devices are not physically connected, but not  strictly VLAN (although it can be consider some type of VLAN in the end). What is the purpose of HSRP? To advertise MAC address for non existing IP address, so basically you need to end up with advertising MAC address for IP address and MAC address is not propagated further than the next router. So, you need to stick with L2, that's why I said that it is not scenario for HSRP. I do not see the point of using HSRP in that situation some other scenario should be used.
0
 
LVL 28

Expert Comment

by:Predrag Jovic
ID: 41758837
Example of using HSRP without VLAN where it is valid design:

HSRP
R1
interface FastEthernet0/0
 ip address 10.0.0.3 255.255.255.0 secondary
 ip address 192.168.0.3 255.255.255.0
 standby 1 ip 10.0.0.1
 standby 2 ip 192.168.0.1

Open in new window


R2
interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.0 secondary
 ip address 192.168.0.2 255.255.255.0
 standby 1 ip 10.0.0.1
 standby 2 ip 192.168.0.1

Open in new window

So it is not strictly VLAN, but it is a kind of VLAN (native VLAN - no tagging), L2 connectivity is needed for HSRP to work properly.
L2 tunnel can provide the same functionality (allow HSRP to work properly) on not physically connected devices, but what would be the point of that scenario?
0
 

Author Comment

by:PeraHoman
ID: 41759545
I think we're on the same page, but it still goes back to my question to VLAN 5-8.

HSRP will be configured onto the VLAN interfaces of VLAN 1-8.  I didn't details VLAN 1-4 below, but I know HSRP will work for VLANs 1-4 because they have L2 connectivity through the DMZ via trunks.  They're wanting HSRP for VLANs 5-8 as well, but there isn't L2 connection for these VLANs 5-8 because the only VLANs 1-4 are allowed on the trunk to the DMZ switch.

Having a trunk between the service switches would make HSRP work for VLANs 5-8, and to make it short I know this isn't done normally.  I want to know if HSRP will or will not work correctly for VLANs 5-8 in this scenario since there is no L2 connection between them.  It was mentioned that it may work through the routed link to the core, but I don't think this is true since it needs L2?  

I appreciate the input.

 Drawing1.png
Service Switch 1

**Assume the rest of the L2/L3 VLANs and HSRP are created and configured correctly**

interface Vlan5
 ip address 10.148.58.2 255.255.254.0
 standby 982 ip 10.148.58.1
 standby 982 priority 110
 standby 982 preempt delay minimum 30

interface TenGigabitEthernet3/1
Description L2-Guest-Traffic to DMZ-Switch, , Te3/1
switchport trunk encap dot1q
switchport mode trunk
switchport allowed vlan 1-4 (VLAN 5 not allowed)
switchport nonegotiate
spanning-tree portfast trunk
no shut


Service Switch 2

**Assume the rest of the L2/L3 VLANs and HSRP are created and configured correctly**

interface Vlan5
 ip address 10.148.58.3 255.255.254.0
 standby 982 ip 10.148.58.1
 standby 982 priority 90
 standby 982 preempt delay minimum 30

interface TenGigabitEthernet3/1
Description L2-Guest-Traffic to DMZ-Switch, Te3/2
switchport trunk encap dot1q
switchport mode trunk
switchport allowed vlan 1-4
switchport nonegotiate
spanning-tree portfast trunk
no shut


DMZ Switch

interface TenGigabitEthernet3/1
Description L2-Guest-Traffic to Service Switch 1
switchport trunk encap dot1q
switchport mode trunk
switchport allowed vlan 1-4 (VLAN 5 not allowed)
switchport nonegotiate
spanning-tree portfast trunk
no shut

interface TenGigabitEthernet3/2
Description L2-Guest-Traffic to Service Switch 2
switchport trunk encap dot1q
switchport mode trunk
switchport allowed vlan 1-4
switchport nonegotiate
spanning-tree portfast trunk
no shut
0
 
LVL 28

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 41760528
Vlan 5 will not function properly without L2 connection of some type. IP addreses are in the same subnet, so default gateway will never be used to forward traffic (not sure, but I think that hsrp packets are not routable). But since there is no l2 connectivity can be used L2 bridging over L3 network if network equipement supports it. Cisco L2 over L3
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question