Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
2
Replies

HSRP Behavior

JBrletic
Level 1
Level 1

‎09-24-2018 02:29 PM - edited ‎03-03-2019 08:54 AM

Hello,

 

I have a question about HSRP and Firewalls.  I am currently working on implementing an Active/Standby Cisco ASA configuration directly attached to redundant Cisco ASA 3560 switches w/ L3 capabilities.  I have configured the Active/Standby and I am 100% they are correctly configured after several successful tests.  The issue I have is with HSRP. I have HSRP configured on the 3560 Switches but it does not work with the direct connection to the firewalls.  If I put another L2 switch between the 3560 switches and ASAs everything works as expected.  I also have a trunk port between the 3560s and it is configured to allow all VLANs across.  Given that description of the problem here are my questions.

 

1. If I create firewall access rules to allow UDP on port 1985 will that allow the HSRP hello messages to cross the firewall?

2. Is there anything I can do to send the HSRP hello packets across the trunk port between the 3560s instead of out the interface where HSRP is configured?

 

Here are the terminal configs.

 

3560-A 

interface GigabitEthernet1/0/24
 description Port-channel1 between Core and Backup Core 3560
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 load-interval 30
 speed 100
 duplex full
 udld port
 channel-group 1 mode on

 

interface GigabitEthernet1/0/7
 description to unit 1
 no switchport
 ip address 192.168.50.4 255.255.255.248
 speed 100
 duplex full
 standby 101 ip 192.168.50.1
 standby 101 timers msec 500 2
 standby 101 preempt
 standby 101 authentication XXXX

 3560-B

 

interface GigabitEthernet1/0/24
 description Port-channel1 between Core and Backup Core 3560
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 load-interval 30
 speed 100
 duplex full
 udld port
 channel-group 1 mode on
interface GigabitEthernet1/0/7
 description To Unit 1
 no switchport
 ip address 192.168.50.3 255.255.255.248
 standby 101 ip 192.168.50.1
 standby 101 timers msec 500 2
 standby 101 priority 105
 standby 101 preempt delay minimum 60
 standby 101 authentication XXXX

 

If anyone can provide any suggestions it would be really appreciated!

 

Thanks!

Labels:
0 Helpful
2 Replies 2

johnd2310
Level 8
Level 8

‎09-24-2018 04:30 PM

Hi,

You can change the ports connecting to the firewall to access ports in vlan X, configure interface vlan x on each switch to run hsrp and trunk vlan x between the 3560

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

dbeattie
Level 1
Level 1

‎10-09-2018 02:00 AM

In order for HSRP to work between the two switches, you need to trunk the relevant VLAN between the two switches. This means that your links to the firewalls should be layer 2 and in the same VLAN. The IP config and HSRP config needs to be on an SVI interface:

 

On Core:

 

int G1/0/7

switchport

swi mode access

Swi access vlan 101

 

int vlan 101

ip address 192.168.50.4 255.255.255.248
standby 101 ip 192.168.50.1
standby 101 timers msec 500 2
standby 101 preempt
standby 101 authentication XXXX

 

and similarly on the other switch.

 

Hope this helps,

 

Dave

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card