cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8605
Views
5
Helpful
22
Replies

Configuring Redundancy on Layer 3 switches with multiple VLANs

Ella M
Level 1
Level 1

Hey All,

I am looking for some advice on how to configure a redundancy Protocol on Packet tracer for my network and any help is greatly appreciated!

I have been tasked with creating a redundant network which operates between 2 buildings. I have chosen to use layer 3 switches with a trunk connection between, mainly for the convenience of inter-VLAN routing. There are two layer 3 switches within each building with the intent of one being standby and one being active (mirrored within both buildings).

Within the topology the top two layer 3 switches will be active and the two underneath will be standby.

From what I have found HSRP only enables one active device at a time which leads me to think that using this protocol wouldn't work unless there was a way to 'separate' the buildings from the perspective of the protocols.

Does anyone have any ideas on the best way to implement redundancy while accounting for the inter-VLAN requirements between buildings?

Also to note that I need to consider redundancy between the routers, both routers are active severing their side of the building but if one router goes down, the end devices will be required to get to the router within the other building.

Happy to share further information,

Thank you, Ella

 

22 Replies 22

MaxShantar
Cisco Employee
Cisco Employee

There are a few different ways you could approach this problem....An option you might consider is using the Virtual Router Redundancy Protocol (VRRP) instead of HSRP. VRRP is similar to HSRP, but it provides some additional features and flexibility. For example, VRRP allows you to create a virtual IP address and virtual MAC address that represents a group of routers, rather than just two routers like HSRP. This can be useful if you want to provide redundancy for multiple routers within a building, or if you want to use multiple active routers to distribute traffic among them.

To configure VRRP on your Cisco switches, you would follow a similar process as with HSRP. First, you would enable the VRRP feature using the "feature vrrp" command. Then, you would create a VRRP group for each VLAN that you want to provide redundancy for. For example, if you have VLANs 10 and 20 in each building, you would create two VRRP groups, one for each VLAN.

Here's an example of how you might configure VRRP for VLAN 10 in Building 1:

 

 

interface Vlan10
   ip address 10.10.10.1/24
   vrrp 10
      preempt
      priority 110
      ip 10.10.10.100
      authentication md5 key-string password

 

 

Thank you for your reply Max, that's really helpful,

In order to have multiple active layer 3 switches at the same time, is there a command to allow this? Or would it automatically work if I set the same priority for the vlan groups on both active switches?

Thank you 

 

". . . rather than just two routers like HSRP."

I thought you could have more than two routers within a HSRP group.  Not so?  Or are you referring to having multiple HSRP groups within the same L2 domain?  (I recall having done both with HSRP - however, possibly PT, as often the case, doesn't support this "real world" feature.) 

". . . if you want to use multiple active routers to distribute traffic among them."

You're talking about multiple virtual gateways (within same network), with clients in the same L2 domain, configured to use them?  Yea, that's doable (at least "real world", with both VRRP and HSRP (I thought, or perhaps only with HSRPv2?), this is usually a maintenance headache, though.  Much, much nicer is Cisco's GLBP configured to use multiple active gateways (possibly not supported in PT). 

BTW, to OP, if you do have multiple VLANs, going to same devices, a variant of what @MaxShantar suggests if having different active gateways (i.e. across your devices) per VLAN.  Doing this, all the hosts on each VLAN use just one virtual gateway IP, but you can load share across your VLANs.

Joseph W. Doherty
Hall of Fame
Hall of Fame

"I have been tasked with creating a redundant network which operates between 2 buildings."

That can entail much, much more than "configure a redundancy Protocol" (i.e. a FHRP?, e.g. HSRP, VRRP, GLBP).

Since you're using L3 switches, why are you not routing between the buildings?

So, how much redundancy are you really trying to achieve?

Hey Joesph,

Thank you for the reply!

For now I'm seeing having a redundancy protocol in place as somewhat of a first step, but I am struggling to know which protocol is most suitable for what I am trying to achieve. HSRP, VRRP and GLBP are certainly all options I am looking into configuring. The level of redundancy I'm looking for is to have 2 devices operating as active and 2 as standby for a failure scenario, to allow the buildings to still communicate.

Routing was my original plan but I faced issues with inter-VLAN routing and unfortunately couldn't get it working, my main issue was being able to ping end-devices within the different buildings due to being in the same subnet. For example if PC1 was in VLAN10 and PC2 was also in VLAN10 (same subnet) but in the other building, having static routes in both directions to the same network wasn't viable and I couldn't find a solution, so decided to use a trunk across.

I'm quite new to networking so there may have been a solution I'm not aware of but found configuring a trunk to be something which worked.

I am with @Joseph W. Doherty  option here, 
first run PVST 
second run  HSRP group 
Group-A R1 is active for VLAN X 
Group-B R2 is active for VLAN Y 
Group-A R3 is standby for VLAN X
Group-B R4 is standby for VLAN Y

this give you two active route (different VLAN) and two standby Router. 

For starters, keep in mind PT often does not offer all the features of the "real" devices.  I.e. there are multiple ways we might accomplish your goal, but we may be limited by what PT supports.

From your OP and your post to me, sound like your redundancy requirement is for your local network's gateway.

Unclear why you want to extend VLAN host usage across building when using L3 switches (beyond noting you could not get inter-VLAN routing to work).

Well, if you are going to extend VLANs between buildings, you only need two (yes, just two) L3 switches as you can replace one pair of L2 switches with a pair of L2 switches.  (You could also use just a pair of routers, in lieu of the pair of L3 switches.)

With just a pair of L3 devices (and the extra two L2 switches), both L3 devices can be in either building, or one each per building.

With a L3 device per building, good practice would be to not haves same VLAN hosts in more than one building.

Your topology might look like:

B1L3 <routed>B2L3
|trunk|            |trunk|
B1L2 <trunk >B2L2

V10 B1
V20 B2

Given the above, any ideas how to configure? (NB: As you're learning, I just don't want to provide a solution. I want to work with you finding the solution.)

'Unclear why you want to extend VLAN host usage across building when using L3 switches' - From what I found using SVI's was somewhat the 'nicest' option to use to enable the inter-VLAN routing. Fibre connections were also required so after being unable to configure the routers I had prior to enable this, I extended the trunk across the L3 Switches.

Due to the limitations of PT, I was unable to use a L2 switch connecting the 2 buildings as I couldn't see a L2 switch with fibre modules, so I know having 4, L3 switches which trunk may seem a bit excessive but with that small caveat and the fact I couldn't seem to manipulate the routers I went for that option. 

'With a L3 device per building, good practice would be to not haves same VLAN hosts in more than one building' -  Originally I was told where the end devices had to be located within the buildings, which is why I was faced with the challenges, but upon reflection I will suggest they relocate some devices so that members of the same VLAN are within the same building.

If all members of the VLANs are within the same building I would assume I would be able to use static routes on the L3 switches and route the packets across L3 ports instead?

so it would look like:

B1L3 <routed>B2L3
|trunk|            |trunk|
B1L3 <routed >B2L3

I suppose going back to redundancy, is having 4 L3 devices suitable in your opinion? The main reason to have 2 in each building is so that if one happened to go down, some devices that need to communicate across buildings can.

Again, thank you for you help and advice @Joseph W. Doherty its really appreciated!

 

 

"From what I found using SVI's was somewhat the 'nicest' option to use to enable the inter-VLAN routing."

Laugh - guess it depends on what defines "nicest".

"Fibre connections were also required so after being unable to configure the routers I had prior to enable this, I extended the trunk across the L3 Switches.

Due to the limitations of PT, I was unable to use a L2 switch connecting the 2 buildings as I couldn't see a L2 switch with fibre modules . . ."

What version of PT are you using?  (I'm running the latest [?] PT and it appears to have routers and switches that support fiber.)

"If all members of the VLANs are within the same building I would assume I would be able to use static routes on the L3 switches and route the packets across L3 ports instead?"

Yes, or use a dynamic routing protocol.

BTW, with VLANs per building (and L3 between buildings), you can "reuse" the same VLAN numbers in the different buildings too.  (Some might use the same VLAN number to denote the same VLAN purpose per building, e.g. VLAN 10, user data VLAN; or a VLAN number that represents purpose and building, e.g. building 1, user data VLAN 110, building 2, user data VLAN 210, etc.)

"I suppose going back to redundancy, is having 4 L3 devices suitable in your opinion?"

It can be.  What I suggested, i.e. just two routers and two switches, would usually be less expensive than 4 L3 switches, and it would show how to both VLAN and/or route between buildings.  However, using just two L3 devices requires L2 between buildings.

With four L3 switches, you can also do:

B1L3 <trunk>B2L3
|trunk|          |trunk|
B1L3 <trunk>B2L3

And you could avoid any explicit routing configuration.

Also, a variation of what I suggested earlier could be:

B1L3 <trunk>B2L3
|trunk|          |trunk|
B1L2 <trunk>B2L2

Chose one of the four, and we can pursue how to configure.  I.e. you propose how to configure.

 

Haha maybe nicest wasn't the best word!

Unfortunately I'm using a work laptop at the PT software is limited to 8.1.1 (very frustrating)

I'm not normally one to shy away from routing but I feel as though sticking with:

B1L3 <trunk>B2L3
|trunk|          |trunk|
B1L3 <trunk>B2L3

Is going to be the most viable option with the tools I've got and where the end-devices are currently situated, as long as there are no caveats to longer spanning trunks which I'm not aware of! Luckily there is no budget to abide by in the exercise given also (phew)

So I'm thinking as there are multiple VLANs on each switch, each SVI will need a standby IP going down the HSRP route. Initially I feel the configuration would look like: 

interface Vlan10

mac-address 0001.97d0.2201

ip address 172.16.0.30 255.255.255.240

standby 10 ip 172.16.0.28

standby 10 priority .....

standby 10 preempt

I would assume all L3 Switches would have the same standby IP for each VLAN? This standby IP would then become the default gateway for end-devices instead of a gateway of the SVI?

I suppose my main query is going to be, how is it possible to have one active switch and one standby in each building, is there a way to separate the switches into groups?

Thank you

You shouldn't (usually/normally) need to configure interface MACs.

Let's suppose we have VLAN 10 usage in building 1 and VLAN 20 usage in building 2.

For VLAN 10, decide what the virtual gateway IP will be (often the first or last host IP of the network address block).

Ditto for VLAN 20.

Using HSRP, the "standby # IP" will be the (virtual) gateway IP which all the network hosts will use.

For our purposes, unless you have a need for it, likely no need to configure other HSRP options.

Each SVI on each VLAN will have its own "real" (and unique) host IP out of that VLAN's address block.

You've correctly configured, in your last posting, HSRP on an SVI.

So, how many SVIs do you need to define, and what devices do you need to define them on?

For the SVIs, how many need HSRP, and what device SVI need what HSRP config.

"I would assume all L3 Switches would have the same standby IP for each VLAN?"

Correct.

"This standby IP would then become the default gateway for end-devices instead of a gateway of the SVI?"

Correct.

"I suppose my main query is going to be, how is it possible to have one active switch and one standby in each building, is there a way to separate the switches into groups?"

How possible?  Yes, that's your question, i.e. how.  (Hint: yes, can an active and standby in each building.)

Separate (HSRP) groups?  Yes, possible, but do you yet understand how and where you need different groups?

At current I've got 10 SVIs on each switch, as I have 10 VLANs overall. On each switch, the SVI for that particular VLAN has a different IP address from the VLAN address block i.e one switch has 172.16.0.44, another has 172.16.0.45, another has 172.16.0.46, all for VLAN 10. I have then replicated the same for each VLAN on all 4 switches. Now that I have typed out what I have done it seems slightly excessive, I suppose my main thinking was that if one switch went down then at least there were 3 other default-gateways for the devices to use, split across both buildings. Might be a better way to do that?

From what I have gathered, each SVI needs HSRP configured. Depending on if the switch was active or standby would dictate the priority that gets configured.

I do think my understanding is a bit fuzzy, from my current knowledge the only thing I can think of that dictates if a switch is active or standby is the priority. As I would like to have 2 active, if I gave these the same priority then the mac address to decide which single device is active. So unclear as to how I can have 2 active at once

 

I see the topology in your original post I will check. 

Since you chose the "trunk" between all your L3 switches, to avoid explicit routing configuring, yes all VLANs will need to be defined on all your switches, and every switch will need a SVI for each VLAN.  I.e. 10 VLANs times 4 switches, you'll have 40 SVIs.  (NB: if you did do explicit routing, your number of SVIs would likely half.)

You need all these SVIs as you will only have implicit routing.

Regarding virtual gateways, you only need two per VLAN.  You could define four per VLAN, but assuming VLAN usage is per building, the extra standbys don't provide any benefit.  I.e. your two virtual gateways will be on the two L3 switches in the building using those VLANs.  (If both L3 switches fail in the same building, the building VLANs will be lost - no path to the other building's L3 switches.)

Yes, priority determines, when HSRP first comes up, which device becomes the active gateway.  The preempt option allows a higher priority gateway, as it comes on-line, after initial HSRP activation, to take over from an active gateway.

For your purposes, you will only need to consider which device you want to be the active gateway, if you're trying to load share traffic and/or one of your L3 switches is more powerful than the other.  Otherwise, it shouldn't matter much (well beyond having active gateway also be the root for STP - due to not routing).

With HSRP, in the later variant, you can have more than one active gateway, within the same VLAN (one of the places that HSRP group is important), but each uses its own virtual IP, which creates the issue how you manage host usage across different virtual gateway IPs.  (As note earlier, Cisco's GLBP can low share across devices using just one virtual IP, but HSRP cannot.) 

Review Cisco Networking for a $25 gift card