Jon, i've had the same "issue" as well. I have a L3 P2P between my two cores as well as a L2 trunk carrying all of those HSRP VLANS. Could i make all of the HSRP vlans passive and just let the two Cores peer using the L3 P2P? Or would the option 2 you suggested be the best method and remove the L3 P2P?

Thanks!

cowetacoit wrote:
Jon, i've had the same "issue" as well. I have a L3 P2P between my two cores as well as a L2 trunk carrying all of those HSRP VLANS. Could i make all of the HSRP vlans passive and just let the two Cores peer using the L3 P2P? Or would the option 2 you suggested be the best method and remove the L3 P2P?
Thanks!

Depends. What is the L3 P2P there for ? is it just for peering ?

Are both links (L2 trunk) and L3 single links or etherchannels.

Do either of the links use the uplink ports on the actual supervisor ? (assuming 6500s)

Jon

The L3 P2P is for peering between two 4506s. All of the other switches connected to the two cores are connected by L3 P2Ps as well. The vlans on the cores are for our data center vlans and there is a trunk between those two for those vlans. At the moment the L2 trunk is an Ether channel and the L3 link isn't. The first core is a Sup6 and we're not using the Sup for uplinks but Core 2 is a Sup5 and is using both uplinks. We're about to swap them with 4506-Es and Sup7s. The Sup7 is supposedly going to be supporting full VSS by the end of the year. So do you think i should enable the passive interface command for all of our vlans on the cores and let the L3 P2P take care of peering? If i do this i will most likely create a L3 ether channel for the peering uplink. thanks!

Just to clarify. You say all your other switches are connected via P2P L3 links ? So i need to understand your topology a bit better.

Where are the access-layer switches connected to ie. is it these core switches or distribution switches. If it is these core switches are the access-layer switches routing the local vlans because if you are connecting via L3 P2P links they must be.

The vlans on the core switches. Are the clients that use these vlans directly connected to the core switches ? Again if everything else is L3 connected to the core switch then they must be.

As a side note - it is always a good idea to use the sup uplink ports as part of the interconnect simply because if a module dies and the interconnect is only on that module then both sides go active. If the sup dies, the switch has died anyway, so it doesn't matter.

Jon

Yes, we have a routed access layer. All end devices connected to the core are directly connected and on the hsrp vlans. I understand about using the uplinks on the Sups and have thought about that before. The Sup6s use the 10G Xenpak or 1g sfps so we just never purchased any sfps since we have the gbic line card. When we swap to the Sup7s, we're going 10G so then i will utilize all ports on the sup for uplinks. hopefully that was enough clarification! thanks!

cowetacoit wrote:
Yes, we have a routed access layer. All end devices connected to the core are directly connected and on the hsrp vlans. I understand about using the uplinks on the Sups and have thought about that before. The Sup6s use the 10G Xenpak or 1g sfps so we just never purchased any sfps since we have the gbic line card. When we swap to the Sup7s, we're going 10G so then i will utilize all ports on the sup for uplinks. hopefully that was enough clarification! thanks!

Ideally you shouldn't have any clients connected to core switches but i understand that this is often dictated by cost.

It's really not going to make much difference which way you go with the current setup.With fully routed, ie. no devices connected to core running HSRP then it would make perfect sense to only have a L3 P2P link between core switches. However because you do have L2 vlans between the core switches you could just as easily use those for peering.

If you have any intention of relocating the devices connected to the core to their own pair of switches then it definitely makes sense to utilise the L3 P2P link for peering although it would need to be an etherchannel, spread over at least 2 modules on each switch, preferably as mentioned utilising one or more of the sup uplink ports.

If you don't then you can use either or both. At the moment you definitely don't want to be just relying on the L3 single link though so even if you do make your vlan interfaces passive, leave at least one + the L3 link for peering.

Jon

I think what i'm going to do for now is configure the L3 PTP as an ether channel and enable passive-interface on all of the vlans. Of course i'll have to keep a trunk for only the handful of HSRP vlans. We'll be swapping to the new Sup7 very soon so this is when i'll make that change. You're right about cost dictating design. If i had my way we'd have a pair of 6500s with VSS. Really the only layer 2 devices are a few bladecenter switches which have server vlans passed to them for vmware. thansk for the help Jon. i'm glad i ran across this thread because i've noticed the same behavior as Eric.

Seconded. This is the cleanest and easiest to manage. It had the benefet of being "deterministic" in that you know with 100% certainty the layer1-layer3 path the traffic takes.