09-08-2020 08:28 PM - edited 09-08-2020 08:30 PM
RoutingHi Guys,
Here is the requirement I have with one of the client,
Existing Topology
I have couple of 2960s with LAN base image switches (currently stacked ) connected to a single router cisco 1900 series router.
New Topology:
We are going to replace 2960s to 2960x lan base image along with cisco 4331 router with two different ISP links and we have stacked up the switches.
My question is will HSRP works as expected in stacked switches and connect one uplink from switch to router1 and second uplinks from switch to router2? or should I need to remove stack and run it in a standalone device and trunk between switches?
I read the blog somewhere that if we are in stack mode there would be some issue in the data/control plane since its shared. Please provide your suggestion at the earliest as we are in final stage of migrating the infra.
Thanks,
Jagan
09-08-2020 11:58 PM
Hello @jagan1985 ,
you don't need to run HSRP in a switch stack as they act as a single entity in the control plane
However,if I well understand you would like to run HSRP on the two routers that have connections to the two ISPs.
>> nd connect one uplink from switch to router1 and second uplinks from switch to router2?
Yes you can in order to have HSRP working between R1 and R2 both switchports must be access ports in the same VLAN for example VLAN 500 and R1,R2 and stack must be in the same IP subnet,
Hope to help
Giuseppe
09-09-2020 01:07 AM
Hi Giuseppe,
Yes, I need to run HSRP in a two ISP routers and my concern if i can configure the ports in a stacked switches are not. Once I stack logically it's a one switch.
Let's say
Gi1/0/1 (configure as access) ----> Router1 (configure HSRP)
Gi 2/0/1 ( configure as access ) ---> Router 2 (configure HSRP)
I hope this way it works well
or
Configure the switches in standalone devices
Gi1/0/1 (configure as access) ----> Router1 (configure HSRP)
Gi 2/0/1 ( configure as access ) ---> Router 2 (configure HSRP)
Gi1/0/48 (on switch1) <----> Gi1/0/48 (on switch2) configure them as trunk
Does this makes any different between these two topologies?
09-09-2020 01:29 AM
Hello @jagan1985 ,
yes the setup using gi1/0/1 and gi2/0/1 in the same VLAN will work.
The difference with the stand alone switches is that in stack you can use the stackwise bandwidth in the order of 32 Gbps or more.
IF you use stand alone switches the bandwidth between switches will be that of the ports for example 4 Gbps in a port channel between them.
In addition each switch should have its own IP address in the VLAN with routers.And in that case another HSRP group would be needed to be run on the two switches SVIs.
So the stack setup is to be preferred.
Hope to help
Giuseppe
09-09-2020 01:56 AM
2960x
vlan 1
name Data_VLAN
Interface gi1/0/1
switch port mode access
Interface gi2/0/1
switch port mode access
interface vlan1
ip address 192.168.1.2 255.255.255.0
ISR 4331
Router 1
interface gi0/1
ip address 192.168.1.3 255.255.255.0
standby 1 ip 192.168.1.1
standby 1 priority 150
standby 1 preempt
standby 1 track gi0/2 60 --> I want to trace the WAN interface for WAN level failover
no shut
Router 2
interface gi0/1
ip address 192.168.1.4 255.255.255.0
standby 1 ip 192.168.1.1
standby 1 priority 100
standby 1 preempt
no shut
I hope above confirmation works.
For WAN interface I believe I need to track on my primary router WAN interface alone right?
09-09-2020 02:23 AM
Hello @jagan1985 ,
the use of VLAN 1 for user traffic is not recommended for security reasons.
It would be better to use a different VLAN
Apart this note, your configuraton template looks like correct and R1 has to track the state of the WAN interface.
With HSRP one key commnad is preempt that allows in case R1 WAN interface fails that R2 takes over for its higher priority
Hope to help
Giuseppe
09-12-2020 01:27 AM
Hi Giuseppe Larosa
I have one setup like this, my 2960x is stacked and the uplink is connected to the firewall.
I have three vlans, VLAN 10 (Server network), VLAN 1 (Data Network) VLAN 100 (Server Mgmt Network) all these VLANs are terminated in the firewall. In my switch I have all three vlans created (vlan 1, 10, 100 ).
interface Vlan1 (data network)
ip address 10.16.10.10 255.255.255.0
!
interface Vlan10 (server network)
ip address 10.16.15.10 255.255.255.0
!
interface Vlan100 (server mgmt network)
ip address 10.100.10.10 255.255.255.0
!
ip default-gateway 10.16.10.1 --> Gateway is in firewall
!
Firewall
Interface gi0/1
ip address 10.16.10.1
Interface gi0/2
ip address 10.16.15.1
Interface gi0/3
ip address 10.100.10.1
I have one uplink to the firewall which is configured as an access port
In order to reach vlan 10 or vlan 100 IPs ( which is in the firewall) from my switch, I need to have SVI in my switch? If I keep shut down my SVI 10, SVI 100 in my switch I am not able to ping 10.100.10.114.
I am able to ping 10.100.10.114 from my PC 10.16.10.60 even though my SVI 10, and SVI 100 are in shut state but from the switch I am not able ping beyond my gateway.
09-12-2020 06:04 PM
There are several things in this post that I do not understand.
- In previous posts in this discussion we have been talking about HSRP. But there is no HSRP in these configurations.
- This post has 3 SVI on the switch with IP addresses. And it has 3 interfaces on the firewall with corresponding IP addresses. This suggests that there would be 3 access ports on the switch (one in each vlan) which connect to interfaces on the firewall. But then you say "I have one uplink to the firewall which is configured as an access port". This is surprising. If you have one uplink then which vlan is that uplink associated with?
- with 3 SVI on switch and 3 interfaces on firewall and 3 access port connections then any device connected on switch could get to the gateway for that subnet as a local connection (device does arp for firewall, firewall responds) there is connectivity without requiring any routing on either device.
- with one uplink you need one SVI on the switch that connects to the firewall. And you need routing enabled on the switch so that devices on the other 2 vlans (other 2 subnets) can be routed to the firewall. And in this situation you need routing logic on the firewall for the other two subnets on the switch. But the switch is configured with ip default-gateway which suggests that routing is not enabled on the switch.
- you ask "In order to reach vlan 10 or vlan 100 IPs ( which is in the firewall) from my switch, I need to have SVI in my switch?" The answer to this depends on whether there are 3 connections from switch to firewall (as I suggested earlier in this response) or 1 connection. If there are 3 connections then each host on the switch is directly connected to the corresponding gateway on the firewall, and there is not need for SVI on the switch. But if there is 1 connection to the firewall, then it must function as a routed link and you need the 3 SVI on the switch to enable routing for each vlan/subnet.
- you tell us "I am able to ping 10.100.10.114 from my PC 10.16.10.60 even though my SVI 10, and SVI 100 are in shut state" This is because both devices are in the same subnet and in the vlan that is active. So each device just does arp for the other device and connectivity is established.
09-12-2020 06:37 PM
Hi Rick,
Sorry I was wrong on the trunk links from my three switch I have three uplinks all three are access ports, VLAN 1, VLAN 10, VLAN 100
all the switch ports are access VLAN and I have three SVI's on my switch int VLAN1, VLAN10, VLAN100, and similarly, I have 3 routed interfaces in my firewall for all three networks. I have only ip-default gateway command in my switch. Should I need to add a static route in my switch to reach 10.100.10.0/24 "ip route 10.0.0.0 255.0.0.0 10.16.10.1 pointing to the firewall?
SWITCH:
VLAN1
interface vlan1
ip address 10.16.10.10 255.255.255.0
VLAN10
interface vlan10
ip address 10.15.10.10 255.255.255.0
VLAN100
interface vlan100
ip address 10.100.10.10 255.255.255.0
Firewall
Gi0/1
ip address 10.16.10.1 255.255.255.0
Gi0/2
ip address 10.16.15.1 255.255.255.0
Gi0/3
ip address 10.100.10.1 255.255.255.0
09-13-2020 10:05 AM
Jagan
There are several parts to my response:
- the original post and the following responses were about running HSRP. Then it seems that the focus of your post shifted and is now asking about connectivity between the switch(es) and the firewall. Is that a correct understanding?
- if the switch is configured with ip default-gateway then it implies that the switch does not have ip routing enabled. Is that a correct understanding?
- if ip routing is not enabled then ip default-gateway is used for traffic originated from the switch management interface and does not have any effect on traffic from user ports. The switch will do layer 2 forwarding for user traffic but does not consider any IP information about user traffic.
- if the following conditions are met:
** 3 vlans configured on the switch
** each vlan configured on the switch has a vlan interface with the IP addresses that you have specified and is not shut down
** in each of the 3 vlans there is an access port connected to the firewall and at least one access port connected to an active device
** 3 interfaces on the firewall with the IP addresses that you have specified and are not shut down
** each interface on the firewall is connected to the corresponding access port on the switch
then any device connected in one of these vlans on the switch should be able to access the firewall
Whether a device in one vlan can communicate with a device in another vlan depends on policies implemented on the firewall.
Is there more to your question than this? If so please clarify.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide