Solved: Hi Mark,

Carlton Patterson · ‎09-06-2016

Hello Experts,

I have configured HSRP as shown in the attached topology. Can someone please take a look at the configs and let me know why ALSW-9 (ip address 100.1.1.3) cannot ping ALSW-10 (200.1.1.3) and vice-versa. Neither can it ping 200.1.1.2 on DLSW-5

Any thoughts will be greatly appreciated.

Cheers

Mark Malone · ‎09-07-2016

Hi Carl

I was basing my reply on this being real world scenario not a lab , theres things configured/setup in that lab that you would not really do in real world in my opionion.
You usually would use a layer 3 device with igp to route between different subnets but just allowing ip routing on a l3 capable device will also allow them to speak to each other but in real world you would usually have an igp between the top switches and hsrp set up and you would not have multiple vlan interfaces on each switch especially when there l2 , you would have them on your exit switches say 4 and 5 then on your switches connected if trunked would be layer 2 and would not require those vlan interfaces only a mgmt. vlan which in best practice should not be a production vlan , you would still create the vlans at layer 2 so they can switch up to the other switches and then be routed out if required
Taking a guess i would think the only thing that can stop you pinging there is somtehing on your port-security is causing it , a quick test i would remove it , if everything works then you will know something is off on it or check the port-security show comamnds and see if anything irregular is showing

View solution in original post

Mark Malone · ‎09-06-2016

Hi

just had a quick look

I don't see any routing configuration to allow different vlan subnets speak to each other ?

You want layer 3 subnets to speak to each other devices need to have some form of layer 3 routing between them , aswell some of the devices set don't have gateways , all layer 2 devices should have a gateway for return traffic and if you want vlan 100 to speak to vlan 200 as an example you would need either static routing or an IGP running like eigrp/opsf /rip

In the design you have normally 4 and 5 would be the layer 3 interface vlans with hsrp and those subnets advertised in eigrp on both routers and then 9 and 10 would be layer 2 just set with DF gateway

You will also have blocked stp links there unless there capable of vpc which im guessing there not nexus , so having sinlge links to each switch from 9 and 10 1 on each will block to prevent a layer 2 loop

vlan interfaces should really only be the 4 and 5 switches if there your exit to say the wan , on the other switches for reachability you should have a separate mgmt. vlan just for access remotely

Carlton Patterson · ‎09-06-2016

Hi Mark,

Thanks for responding. This is more than I expected.

In response, you will find that switches ALSW-9 and ALSW-10 have default-gateways pointing to the HSRP standby address.

Because I have set up trunks on all devices I didnt' think I would need to configure DLSW-4 and DLSW-5 with a routing protocol.

So, if I hear you correctly, are you suggesting that the only way for vlan 200 to ping vlan 100 or vice versa is by configuring a routing protocol on DLSW-4 and DLSW-5?

Cheers

Carlton

Mark Malone · ‎09-07-2016

Hi Carl

I was basing my reply on this being real world scenario not a lab , theres things configured/setup in that lab that you would not really do in real world in my opionion.
You usually would use a layer 3 device with igp to route between different subnets but just allowing ip routing on a l3 capable device will also allow them to speak to each other but in real world you would usually have an igp between the top switches and hsrp set up and you would not have multiple vlan interfaces on each switch especially when there l2 , you would have them on your exit switches say 4 and 5 then on your switches connected if trunked would be layer 2 and would not require those vlan interfaces only a mgmt. vlan which in best practice should not be a production vlan , you would still create the vlans at layer 2 so they can switch up to the other switches and then be routed out if required
Taking a guess i would think the only thing that can stop you pinging there is somtehing on your port-security is causing it , a quick test i would remove it , if everything works then you will know something is off on it or check the port-security show comamnds and see if anything irregular is showing

mlund · ‎09-09-2016

Hi

Mark has pointed it out already, it's probably the fact that this is a switch that is supposed to do routing. If so then You have to configure it for that, like this.

Conf t

ip routing

/Mikael

Carlton Patterson · ‎09-06-2016

Mark,

The interesting thing is I can ping 200.1.1.3 (vlan 200) from 100.1.1.3 (vlan 100) from DLSW-5.

There is no routing applied.

DLSW-5#ping 200.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/19/34 ms

Wouldn't this suggest that I don't need routing because of I have allowed all the vlans across the trunks?

Regards

nbruggemansps · ‎09-06-2016

•Take care when you enable port security on the ports connected to the adjacent switches when there are redundant links running between the switches because port security might error-disable the ports due to port security violations.

•Flex Links and port security are not compatible with each other.

Carlton Patterson · ‎09-06-2016

Community,

Just so you know, this lab is a virtual replica of the attached lab, see attached. You will see they show successful pings between switches (in their case ALS1 and ALS2)

Cisco HSRP Not Functioning