cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1405
Views
0
Helpful
4
Replies

GLBP and HSRP on same switches will work ???

rahul.zip
Level 1
Level 1

I have two core switches 6500 and i have configured GLBP on vlan interfaces and HSRP on interface gig 1/2 on both switches.

1. how the traffic will flow form lan to firewall and firewall to LAN.

2. will glbp work proparly

3. do i need to run hsrp

please refer the attached Network Diagram

Please help me

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

rahul.zip wrote:

I have two core switches 6500 and i have configured GLBP on vlan interfaces and HSRP on interface gig 1/2 on both switches.

1. how the traffic will flow form lan to firewall and firewall to LAN.

2. will glbp work proparly

3. do i need to run hsrp

please refer the attached Network Diagram

Please help me

Just to clarify, the gi1/2 interfaces on the 6500 switches and the ASA inside interfaces are in the same subnet ?

Also, not familiar with HP switches - what does active/standby mean in relation to those ie. i'm assuming both will still pass traffic all the time.

If so yes you can run HSRP on the 6500 switches and point the ASAs to the HSRP VIP.

However you will have a real problem if either of those uplinks from the 6500 switches to the HP switches fails so it's not a redundant design.

Looking at your diagram we'll call the 6500 on the left sw1 and the ASA on the left asa and the 6500 on the right sw1 and the ASA on the right asa2.

GLBP will work fine but the problem is GLBP could send the traffic from the access-layer to either 6500 switch.

So lets says a packet is sent from the access-layer to sw2. sw2's uplink has failed so the only way it can get to the asa is via sw1. But there is no link between sw1 and sw2 other than via the access-layer.

I'm assuming you are not exchanging routes between the 2 6500 switches via the access-layer ?  - if so then let me know as a lot of what i am about to write would need modifying.

What you need is either -

1) a L2 trunk between your 6500 switches although i can see from your diagram you have no blocking on the access-layer uplinks as STP is not blocking so this is presumably why you don't want a L2 trunk ?

2) a L3 link between your 6500 switches so that if the gi1/2 interface goes down the 6500 can route the traffic to the other 6500. This would probably be a better fit for your design.

There is still a problem though. If the link between the 6500 and the HP switch fails then it works fine. If the HP switch fails it works fine. But if the interconnect between the HP switches fails then you have a problem. If sw2 is trying to send traffic to asa1 how does it now send get there, because there is no path. As far as sw2 is concerned it's gi1/2 interface is still useable because it is up/up.

So you could either use IP SLA on the 6500 switch and ping the virtual ip of the ASAs. If the ping failed then it could use the other 6500. Or you could use one of the L2 paths via your access layer switches which are connected to the HP switches although this is not recommended.

As you can see there are a few issues with this design in terms of redundancy. I understand why you have not used a L2 trunk between the 6500 switches so that you can use the full bandwidth of the uplinks from the access-layer switches but you still need an interconnect between your 6500 switches be that L2 or L3.

Without knowing how your are routing ie. statics/dynamic routing protoco etc. it's difficult to be more precise but you certainly need to have a rethink on the failure scenarios ie. sit down with the design, take out a switch/uplink/firewall etc. and then trace the path the traffic will take. Only by doing that will you see any problems with the design.

As i said if you are exchanging routes via the access-layer switches then an alternate path is indeed available without an interconnect so need to understand that too.

Jon

Thank you for your quick response

Links between ASA to 6500 are L3 links and all of them are in same subnet.

HP switch have no configuration.

HSRP is running between core switches gig 1/2 interfaces

and GLBP is running on those core switches VLAN interface

now core A is active and CORE B is Standby for HSRP

i just want to know if core b get traffic form access switches will it be forwarded by that gig 1/2 interface on core B cause it is showing standby for hsrp

Jon Marshall
Hall of Fame
Hall of Fame

Thinking about this a little more the easiest solution if the ASA inside interfaces and the gi1/2 interfaces on the 6500s share the same subnet is to -

1) create a dedicated vlan on the 6500 switches for the communication between the 6500 switches and the ASAs eg vlan 10

2) cable a L2 link between the 2 6500 switches and make the ports on both 6500 switches access ports in the vlan 10. Do not make it a trunk port as this will then mean that you access-layer switches will have to block one of their uplinks. If you make it an access port then the access-layer switches will continue to use both uplinks for forwarding.

3) on each switch create a L3 vlan interface for vlan 10 and move the ip addresses on gi1/2 on each switch to the L3 vlan interface.

4) make gi1/2 on each switch a switch port in vlan 10

5) configure HSRP under the L3 vlan 10 interfaces on the 6500 switches.

Edit - this setup actually creates a square between the 6500s and HP switches which i'm not keen on. Please see next post as to question of connecting ASAs directly to 6500 switches.

Jon

Jon Marshall
Hall of Fame
Hall of Fame

A quick question. Have you run out of ports on the 6500 switches ? If not then it would make a lot more sense to simply connect the ASAs directly to the 4506 switches with the L2 access link i was talking about in my previous post.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco