Showing results for 
Search instead for 
Did you mean: 
Ramu Ch

Network proposal with HSRP/STP/VTP concepts

My recommended topology sceanrio as follows :




                                                       Internet Router


                                                     Fortigate Firewall


                                                        Access  -  sw

                                                       /                    \

                                                   Core-sw-1---------  core-sw-2

                                                 /                             \

                                               Dist-sw-1 ----------- Dist-sw-2

                                            /           \                     /            \

                                    Access-1     Access-2         Access-1  Access-2

                                       |                   |                      |                |

                                   VLAN10        VLAN 20       Vlan 30      VLAN 40

I hope , the above topogy is undersandble and giving short note on the above scenario

1) In this project we are using one cisco 1900 series router as internet router

2) Fortigate firewall is a Internet firewall

3) Two core-sw as 4506 series and two  3750-X as distribution and 2960S switches as access

4) There is a cross connectivity between distribution -1 to core-sw2 and distribution-2 to

     Core-sw-1 ( Not shown in Above diagram)

    There is connectivity between distribution switches ( shown in diagram)

5) Each access-sw is in each vlan and connected to distribution , end devices are connected to access-switches

                                                           Requirements :

1) HSRP configuration including Loadbalancing for each VLAN means some vlans

    Core-sw-1 is active and core-sw-2 is standby and viceversa

2)   If we go to  HSRP-Loadbalancing , How to configure VTP , can we  configure two core-switches as server mode then  how it works if  core-switch-1 fails how the vlan database reflects in other  core-switch-2

3) How to configure STP , can we configure Core-Sw-1 as a Root bridge for some vlans and

     Core-Sw-2 as root bridge for a remaining vlans , How core-sw-2 will  become a Root bridge for the vlans are through Core-sw-1 , if core-sw-1  gets down

4)  How the redundancy will be happen , if one  core-sw-1 goes down how the repspective vlans traffice will turn through  Core-sw-2

5) How the VTP database will be reflected in Core-sw-2 if Core-Sw-1 gets down

6)  will do intervlan in Distribution switches , is it ok? , can we make  distribution , access switches  as a client mode in VTP configuration , i  think it wont give any issues , so that

VLANs configure in Core-Switches will be reflcted in each distribution / access-switches

Pls provide a solution for the above and suggest your comments



Jon Marshall
VIP Community Legend


If your doing inter-vlan routing on the dist switches (which you should) then why does the core need to know about those vlans ?

The core is primarily there to interconnect multiple distribution blocks at high speed. But you only have one distribution block shown. Are there others you are not showing ?  Or are you expecting to be adding more distribution switches in the future ?

Perhaps you could clarify ?

*** Edit - i am not saying the design is wrong i am just trying to undertand the setup more ie. where are your servers, do you have other connectivity not shown etc.


Hi Jon,

Thanks for the reply..

Core-switches should know about VLANs because Planning to make HSRP protocol configuration in two core-switches with Loadbalancing

I.e some vlans core-1 is primary and remainig vlans core-2 is primary.

Requirement is if core-1 fails then the vlans switchover to core-2 automatically, will it happen?

If you observe the proposal design (above diagram) , what about STP root bridge configuration.., can i configure for some

vlans core-1 as a root and remaining vlans core-2 as a root?

Servers are coonected at access-switch which is in between Fortigate firewall to core-switches ( see the above diagram)

PLs suggest and give inputs as i need to submit configuration proposal next week

Let me know if u need more details



Jon Marshall
VIP Community Legend


The reason i am asking about the vlans is because it's not clear where you are doing the inter-vlan routing. For example you say you are going to use the 3750s for imter-vlan routing, presumably for vlans 10,20,30.40. If so you would setup STP root/secondary for these vlans on the 3750s and not the core switches because the core switches don't need to know about these vlans. They simply get routes for the vlan subnets from the 3750 switches.

But you also refer to other vlans ie. server vlans and the firewall vlans and these do not seem to connect to distirbution switches. So you may need to setup STP root/secondary + inter-vlan route for these on the core switches. But it's not clear. How many servers do you have, are they dual honed, what switches do they connect to. Are these vlans different from vlans 10,20,30,40.

So for some vlans you have a 3 tier model ie. access/distribution/core and for some vlans you have a collapsed core model ie. access/dist+core ie. the distribution switches and core switches are the same physical switches.

So perhaps you could give some more details concerning the setup especially concerning the servers ie. how many, how are they connected, what is the speed of the uplinks from the server switches and do these switches connect straight to the core

4500 switches are not cheap switches and at the moment they only seem to connect the 3750s to the firewall switch. However i emphasize i am not criticizing the design as i suspect there is more to it ie. server connectivity which hasn't really been covered so far.

If you are proposing to route vlans 10,20,30,40 on the core switches then why have the 3750s ?

So i'm just trying to get the full picture because it's not entirely clear where you are proposing to handle all the vlan routing, STP setup.


Hi Jon,

Thanks for the reply..

We have only one server which is at Firewall access switch with Gigabit UTP cable

If you see the diagram once again ,

can we configure vlans / intervlan routing ,STP root/ secondary parameters on core-switch , can we configure HSRP

on core-switches?

our main purpose is HSRP with Loadbalancing the vlans , just suggest accordingly..

No probs, distribution has no role , it just conects core- access through Fiber links

only one proxy servers, futute also not much

Will you provide a sample refference configuration of a three-tier network model configuration



<< VLAN Config on Access switch >>
interface GigabitEthernet1/0/44
description Ports of XXXXX
switchport access Vlan 7
switchport mode Access
spanning-tree portfast

Distribution switch
<< Uplink from Access switch >>
interface GigabitEthernet0/23
description from Access Switch - port 1/0/47
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree guard root

<< HSRP Config >>
interface GigabitEthernet0/47
description Etherchanel/HSRP/Trunk to C3560G-USR1-1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode passive
interface GigabitEthernet0/48
description Etherchanel/HSRP/Trunk to C3560G-USR1-1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode passive

interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk

<< SVI for each vlan need to create and use ip helper for DHCP relay >>
<< According to bellow is the Virtual IP for VLAN 7 >>
interface Vlan7
ip address
standby 7 ip

<< Make any dis swicth primary swicth for specific VLANs with following command>>
spanning-tree vlan 7 root primary

Firstly HSRP doenst do Loadbalancing ONLY Failover. On distribution swicthes create SVI to match with VLAN numbers and add to routing process.