08-05-2004 09:15 AM - edited 03-02-2019 05:33 PM
Hello,
I have two Catalyst 3550, I have a FEC between this two switchs and several VLANS and several ACL's for access between this VLANS. I like to setup HSRP between this two switchs so if one of those becomes offline the other can perform exactly the same function as the other. The problem I have is that when I setup HSRP, one ACL is created and this ACL prevents DHCP traffic for a specified VLAN to be forwarded.
Does anybody know a good white paper or have some tips so I can configure this right?
Best Regards.
08-05-2004 10:06 AM
What do you mean that when you setup HSRP an ACL is created? HSRP does not and should not create any ACL dynamically. Kindly explain the problem in as much detail as possible.
08-05-2004 10:37 AM
I setup HSRP from the CMI and when I setup HSRP a ACL is automatically generated. Also I like to know if there is need to recreate all the ACL's that I have in the second 3550 ?
Best Regards.
08-05-2004 10:49 AM
I think it would be better if you post the configurations of both switches.
08-05-2004 02:25 PM
I have double checked the configuration, and the ACL doesn't exists anymore, but I have some questions for you, I have to copy all the ACL's that I have in the first 3550 to the new one? I have setup the vtp mode of the new 3550 to be a client, if the first 3550 goes down how do this work?
Best Regards.
08-05-2004 09:32 PM
Hi,
In case of HSRP on 3550, configs dont sync automatically, so u will have to manually copy the ACLs of 1st switch to 2ns one for proper functioning. Because if ACTIVE goes down at any point of time, then standby should have the same configs and restrictions for the network.
I fail to understand, why have u made 3550 as a client if this is your core switch. you should make both the switches(active and standby) as VTP server because having 2 VTP servers will give you redundancy in thenetwork, if 1 vtp server goes down other will keep propogation the advertisements.
kindly update for further clarification....
08-05-2004 09:40 PM
Yes in order to have your security policy remain in affect after an HSRP role change you have to have the same ACLs applied on the two switches. The VTP mode of client on the other 3550 will continue to work even if the primary 3550 goes down. I personally am not a big fan of VTP and in your small setup i will recommend setting VTP mode to transparent; however, this is just my opinion. I believe VTP version 3 will take care of most of the downsides of the existing versions, like accidentally deleting VLANs by introducing a new switch that somehow becomes the master.
08-06-2004 05:21 AM
Thanks for the reply, the ACL's are not replicated between the switches as I expected, this is normal?
Do you recommend me to make a copy of the running-config of my first 3550 (core) to the new one (taking in care the differences in configuration off course)?
Best Regards.
08-06-2004 08:28 AM
Yes it is very normal that the ACLs do not replicate between the switches; this is not a single switch with two supervisors running in redudant configuration that you should expect replication to happen between them.
As far as copying the config to your backup switch is concerned, well what i will suggest it is to make a copy of it on your desktop or laptop and edit it to include all necessary changes and then paste it or download it into the backup switch. If you want you can post both configurations here when you are done for a sanity check.
08-06-2004 12:33 PM
I will rebuild the configuration of both switches during the weekend, on monday I will copy the running of the switches avoiding the ACL's because they are six pages long.
Best regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide