Thanks Jon.

No, each is connected to just one 6509 and I can't add any more because of limited ports on the provider equipment.

I thought as much. Funny thing is, this config is all over our access layer. Am I looking at manually shutting down the SVIs when a link dies?! Can I track something or have a HSRP node automatically assume standby if it can't see its peer? 

Apologies, the 2x 3560s are indeed connected to each other. Well-spotted.

I'm glad they are otherwise I was totally confused :-)

The thing that still confuses me is if a link dies and both 6500s go active for HSRP then traffic from the 3560s can still only go to one of the 6500s so it should still work.

Yes you have the annoyance of the other switch being active but it shouldn't stop traffic flow from the 3560s.

If the SVI is staying up then a possible issue is that the 6500 is still advertising the IP subnet to other parts of your network so traffic could come to it and then it cannot forward it which sounds like what is happening.

However that shouldn't happen if the only port on the 6500 in that vlan (or vlans) for  the access switches is the one connecting to the 3560 because if the link goes down then the SVI should as well.

So what is keeping the SVI up/up is the question ?

Are the vlans used on the 3560s used anywhere else in your network ?

Jon

You've got it exactly there. The SVI stays up because the direct physical connection from the 6509 is to a piece of provider kit which in turn connects to the WAN link. So even if the WAN link is down, the gigabit ethernet int on the router stays up, keeping the SVI up.

Return traffic from the main office thinks the branch network is available through the 6509 connected to the dead link and, as you said, the traffic has nowhere to go. 

The vlans are not used anywhere else.

Any ideas? Thanks for your help and insight so far.

Even if you could make it go standby it would still advertise that IP subnet to the rest of your network.

You need to shut the SVI down but this could prove somewhat problematic because there is no L3 hop between the SVIs for the same vlan on each 6500.

So if you could guarantee the path a ping from one SVI to the other SVI was via the 3560s you run an EEM applet and if the ping failed it would shut the SVI.

But I suspect the ping could work via the rest of the network as well.

Even if the 3560s had management IPs that you could ping I suspect you woud be advertising these to the rest of your network so there would be an alternate path for the 6500 with the failed link.

A possible solution is if the vlans on the 3560s are only used in the branch is to move the SVIs to the 3560s as they are interconnected anyway.

Then make the links between the 3560s and the 6500s L3 links and each 3560 would advertise the vlan IP subnets.

If the link fails then the 6500 no longer receives the advertisement and so doesn't advertise it to the rest of the network.

You could use a default route on each 3560 to keep the routing tables to a minimum.

However that is a big change especially as you mention you have this configuration on a lot of access switches.

I suppose the really obvious solution is the one you don't want :-) ie .interconnect your 6500s.

Can't help feeling I am missing something more obvious so perhaps others will join in and if I think of a better way i'll add to this post.

Edited -  removed first solution as there is no next hop IP for the loopback route.

Jon