Re: Configuring Redundancy on Layer 3 switches with multiple VLANs - Page 2

Ella M · ‎12-10-2022

Hey All,

I am looking for some advice on how to configure a redundancy Protocol on Packet tracer for my network and any help is greatly appreciated!

I have been tasked with creating a redundant network which operates between 2 buildings. I have chosen to use layer 3 switches with a trunk connection between, mainly for the convenience of inter-VLAN routing. There are two layer 3 switches within each building with the intent of one being standby and one being active (mirrored within both buildings).

Within the topology the top two layer 3 switches will be active and the two underneath will be standby.

From what I have found HSRP only enables one active device at a time which leads me to think that using this protocol wouldn't work unless there was a way to 'separate' the buildings from the perspective of the protocols.

Does anyone have any ideas on the best way to implement redundancy while accounting for the inter-VLAN requirements between buildings?

Also to note that I need to consider redundancy between the routers, both routers are active severing their side of the building but if one router goes down, the end devices will be required to get to the router within the other building.

Happy to share further information,

Thank you, Ella

Ella M · ‎12-13-2022

Hey,

Are the virtual gateways different to the SVI IP addresses?

At the moment the top left L3 switch is my root bridge and is also the switch which the end devices in B1 are using as its default-gateway with the SVI addresses. This is mirrored in B2 with the top right L3 switch being the root bridge and using SVIs as default gateways.

Would HSRP work on a per VLAN basis? So rather than having one active one standby per building (which is the way I was viewing it) would it be one active one standby per VLAN? and if so how would the L3 switches differentiate between which two are configured to be active and which two are configured to be standby?

Sorry for so many questions I'm just trying to get my head around how it will work!

Thank you

Joseph W. Doherty · ‎12-13-2022

"Are the virtual gateways different to the SVI IP addresses?"

For HSRP and GLBP, yes! (For VRRP, it's a bit more complicated.)

When using a FHRP, hosts use the virtual gateway IP.

"Would HSRP work on a per VLAN basis?"

Yes, ditto for GLBP and VRRP. (Remember, it's a virtual gateway IP, i.e. would an SVI IP be used on other SVIs? No, neither for FHRP IPs.)

"So rather than having one active one standby per building (which is the way I was viewing it) would it be one active one standby per VLAN?"

Latter is correct, i.e. per VLAN.

"and if so how would the L3 switches differentiate between which two are configured to be active and which two are configured to be standby?"

In same VLAN? Group number, and different/unique virtual IPs per VLAN. (Doing this is a more "advanced" usage of using HSRP, allows virtual gateway IPs for load sharing [much as can be done with non-virtual IPs]. As Cisco's GLBP, much less need for this "advanced" HSRP feature [which, at one time, one only available on higher-end Cisco routers].)

"Sorry for so many questions I'm just trying to get my head around how it will work!"

Nothing to apologize for; forums are about learning.

I hadn't realized you thought a single HSRP virtual IP would be used across VLANs. Thinking that, easy to understand some of your confusion.

Ella M · ‎12-13-2022

I see! Thank you,

B1L3 <trunk>B2L3
|trunk| |trunk|
B1L3 <trunk>B2L3

Using 2 VLANS as an example...

Would configuration look something like:

B1L3 (ACTIVE)

interface Vlan10

ip address 172.16.0.43 255.255.255.240

standby 10 ip 172.16.0.42

standby 10 priority 150

standby 10 preempt

interface Vlan20

ip address 172.16.0.59 255.255.255.240

standby 20 ip 172.16.0.58

standby 20 priority 150

standby 20 preempt

B1L3 (STANDBY)

interface Vlan10

ip address 172.16.0.44 255.255.255.240

standby 10 ip 172.16.0.42

standby 10 priority 100

standby 10 preempt

interface Vlan20

ip address 172.16.0.60 255.255.255.240

standby 20 ip 172.16.0.58

standby 20 priority 100

standby 20 preempt

B2L3 (ACTIVE)

interface Vlan10

ip address 172.16.0.45 255.255.255.240

standby 10 ip 172.16.0.41

standby 10 priority 150

standby 10 preempt

interface Vlan20

ip address 172.16.0.61 255.255.255.240

standby 20 ip 172.16.0.57

standby 20 priority 150

standby 20 preempt

B2L3 (STANDBY)

interface Vlan10

ip address 172.16.0.46 255.255.255.240

standby 10 ip 172.16.0.41

standby 10 priority 100

standby 10 preempt

interface Vlan20

ip address 172.16.0.62 255.255.255.240

standby 20 ip 172.16.0.57

standby 20 priority 100

standby 20 preempt

Joseph W. Doherty · ‎12-13-2022

You're getting close!

The active is per VLAN - i.e. only one should have the highest priority.

You can have all four L3 switches be members of the HSRP group (not needed, all of each VLAN's hosts are same building - we'll come back to that), but if you have more that two, and you want a particular router to be the standby, its priority would be less than the desired active, but greater than any other routers for that group. It would also should have preempt (as would the preferred active).

When you don't care about one HSRP member being better (or worst) than another you don't need to assign priority (which has a default value). If you don't care that one HSRP member always trying to be better than what's currently the situation, as that HSRP joins an active group, you don't need to use preempt.

In your topology, do you benefit from having more than two HSRP members? Try "what if".

Consider (same) VLAN hosts can be in both building vs. all (same) VLAN hosts are only in one building.

Then "fail" a L3 switch with currently active HSRP gateway. Secondary takes over, all good (regardless), right? Even regardless of VLAN hosts locations and/or which building secondary is in relative to the original active L3 switch, right?

Then "fail" the L3 switch that was secondary, now active. Again, assuming all VLAN hosts one building vs. two and/or the newly failed secondary in the same building or the other building. What's good or bad now? Do we benefit from having another HSRP member, in all situations, or just some? If some situations do not need another (3rd) HSRP member, is that something we can "control"?

If you can work out the prior "what ifs", you're well on you way toward designing networks that meet particular requirements.

Below, I believe, would support VLAN 10 with its hosts only in building 1 and VLAN 20 with its hosts only in building 2. Can you see why?

B1L3 (ACTIVE)

interface Vlan10
ip address 172.16.0.43 255.255.255.240
standby 10 ip 172.16.0.42
standby 10 priority 150
standby 10 preempt

interface Vlan20
ip address 172.16.0.59 255.255.255.240

B1L3 (STANDBY)

interface Vlan10
ip address 172.16.0.44 255.255.255.240
standby 10 ip 172.16.0.42

interface Vlan20
ip address 172.16.0.60 255.255.255.240

B2L3 (ACTIVE)

interface Vlan10
ip address 172.16.0.45 255.255.255.240

interface Vlan20
ip address 172.16.0.61 255.255.255.240
standby 20 ip 172.16.0.57
standby 20 priority 150
standby 20 preempt

B2L3 (STANDBY)

interface Vlan10
ip address 172.16.0.46 255.255.255.240

interface Vlan20
ip address 172.16.0.62 255.255.255.240
standby 20 ip 172.16.0.57

Ella M · ‎12-13-2022

Hmmm interesting,

When you say the active is per VLAN, are you referring to an active switch on a per VLAN basis? so a device that is active for VLAN 10 may be standby for VLAN 20 for example?

Also HSRP members, are they the devices themselves or the VLANs? If they are the devices then within my topology I would benefit from having two members due to the fact that that there needs to be two devices active at any one time for the network to function.

If VLANs were in the same building then I can see how two could be sufficient as you have configured the standby IPs for VLAN 10 with the priority for the active, then mirrored this to represent VLAN 20 on the other side. So that configuration certainly makes sense to me in terms how active and standby will be elected.

I think I start to get the wrong end of the stick when the VLANs are within the different buildings haha

Thank you

Joseph W. Doherty · ‎12-13-2022

"Active", for HSRP, means whatever device is currently supporting/processing traffic directed to the virtual IP.

Consider:

Switch1

interface Vlan10
ip address 172.16.0.43 255.255.255.240
standby 10 ip 172.16.0.42

Switch2

interface Vlan10
ip address 172.16.0.44 255.255.255.240
standby 10 ip 172.16.0.42

Router1

interface fastethernet1
ip address 172.16.0.45 255.255.255.240
standby 10 ip 172.16.0.42

Router2

interface fastethernet1
ip address 172.16.0.46 255.255.255.240
standby 10 ip 172.16.0.42

All four of those device are part of HSRP group 10 on the same network.

Which device is active?

With the information provided, you cannot know for sure.

If we add "standby 10 priority 150" to switch2's SVI, is it now the active gateway? Actually, we still cannot know for sure.

If we also add "standby 10 preempt", assuming HSRP is working correctly, it should be, or become, the active gateway.

". . . I would benefit from having two members due to the fact that that there needs to be two devices active at any one time for the network to function."

Unsure I understand. First, you don't need HSRP to function, unless you're providing redundancy. And for redundancy, you do need at least two devices in operation.

"If VLANs were in the same building . . ."

With the topology we've been using, all VLANs need to be everywhere. However, hosts using those VLANs, might be limited to just in one building per one VLAN. I.e. Even with all VLAN using hosts in just one building, you still need VLANs on all the devices (because we've not configured explicit routing).

If you have Packet Tracer, you can "play" with a topology like:

/v10> B1L3 <trunk> B2L3 <v20\
B1PC <v10> B1L2 |trunk| |trunk| B2L2 <v20> B2PC
\v10> B1L3 <trunk> B2L3 <v20/

Ella M · ‎12-14-2022

Hey Joseph,

Thank you that makes more sense now,

When I mentioned about having two members active for the network to function, I meant in general terms rather than HSRP, as there are 2 devices which need to be active at the same time to allow the buildings to connect to each other.

You said that the VLANs might be limited to just one building per VLAN, perhaps this is where im facing issues? The VLANs themselves are on all devices, but for three of my VLANs, the hosts are split between buildings rather than all the hosts being in the same building. Does this mean HSRP wont be viable for the VLANs whose hosts are split?

Thank you

Joseph W. Doherty · ‎12-14-2022

"When I mentioned about having two members active for the network to function, I meant in general terms rather than HSRP, as there are 2 devices which need to be active at the same time to allow the buildings to connect to each other."

Yes and no. In the L2 ring topology we've been discussing, losing one node can be fine, by if you lose two nodes, one in each building, whether we still have inter building communications depends on which two nodes we've lost.

"You said that the VLANs might be limited to just one building per VLAN, perhaps this is where im facing issues?"

The operative word is "might". Assume you lost top left and bottom right L3 switches. You lose connectivity between buildings, and between hosts within the same VLAN, if hosts are in both buildings.

". . . but for three of my VLANs, the hosts are split between buildings rather than all the hosts being in the same building. Does this mean HSRP wont be viable for the VLANs whose hosts are split?"

Depends what you mean by "viable". In my prior paragraph, I described how if you lose two particular L3 switch, you lose connectivity between buildings. Any VLAN being "used" across both building will be "partitioned." Is this okay? That's something you need to determine. You certainly can still have traffic between VLANs, within the building, but you'll also need to define more than two HSRP interfaces.

Consider if both (of two only) HSRP instances are in just one building. With the worst case lost of two nodes, the building without a HSRP instance for a VLAN cannot be used in the remaining building.

Again, suggest, you try "what if" scenarios. With the same VLAN having hosts in both buildings, for some two node failure, you'll need HSRP, for such VLANs, on all four nodes. (Again, doable, but also again, in situation, above, is remaining behavior what you want?_