Hey Ryan,

Ryan Fisher · ‎08-10-2016

Hello, I'm having a strange issue, and maybe this is related to me trying to do something that can't really be done, but I'd like to find out what's going on. I have 5 sites all connected by a layer 2 mesh Ewan circuit. Two of my sites, HQ and DR in Las Vegas, I am running HSRP to extend three networks, 2 server networks and 1 management network. I am doing this for the case of failover, because my environment is virtualized and replicated to the DR site. In the event of failover, I can bring up my replicated virtual machines just as they were at the HQ site, and use the HSRP so when the replicated machines come up, they will be on the same network, thus I won't have to re IP address all the servers. They'll come up on the same network they were originally on.

I have HSRP configured on both ends, and each side can see each other, and appears to be working just fine. My problem (or question) is, when I ping another site from a server on one of the three HSRP networks from HQ, they seem to route the packet through the standby switch at the DR site in Las Vegas first, which increases the latency of the packet time. My idea of HSRP was that everything came from the active router as long as the other one was in the Standby state. I found it odd that it would go out to the other router before going to the destination site. If I ping from a network that is not one of the HSRP networks, the latency is much lower.

So, is this the normal way HSRP is supposed to work? My latency times from HQ to Vegas averages around 15ms, so I thought that could be acceptable to run HSRP between the two sites. Keep in mind, that the Vegas site is only for failover, and there are no machines that are running on that network normally, so all routing is done at HQ with all the machines there as well. The default gateway would only move to DR in the event of a failover.

I have included a high-level network diagram to help with the interface config of HSRP to help understand what I'm doing. I'm also running EIGRP between the sites as well, which is working well. I can include any other configs as requested.

Thanks!

Terence Payet · ‎08-10-2016

Hi Ryan,

I think your issue is with spanning-tree.

Can you post sh spanning-tree for vlan 501.

Regards,

Terence

Ryan Fisher · ‎08-11-2016

Thanks for the reply.

Show Spanning tree at HQ on core:

SDVCORE-6506#sh spanning-tree vlan 501

VLAN0501

Spanning tree enabled protocol rstp

Root ID Priority 4597

Address 0008.e3ff.fc28

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 4597 (priority 4096 sys-id-ext 501)

Address 0008.e3ff.fc28

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 480

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi1/1/23 Desg FWD 4 128.2071 P2p Peer(STP)

Gi2/1/23 Desg FWD 4 128.4119 P2p Peer(STP)

Po10 Desg FWD 3 128.5763 P2p

Po13 Desg FWD 1 128.5764 P2p

Po19 Desg FWD 1 128.5765 P2p Peer(STP)

Po20 Desg FWD 1 128.5766 P2p

Po21 Desg FWD 1 128.5767 P2p Peer(STP)

Po22 Desg FWD 1 128.5768 P2p

Po102 Desg FWD 1 128.5772 P2p

Po103 Desg FWD 1 128.5773 P2p

Po104 Desg FWD 1 128.5774 P2p

Po105 Desg FWD 1 128.5775 P2p

Po106 Desg FWD 2 128.5776 P2p

Po200 Desg FWD 3 128.5778 P2p Peer(STP)

Po111 Desg FWD 1 128.5780 P2p

Po112 Desg FWD 1 128.5781 P2p

Show spanning tree on edge switch at HQ

SDED01-3750#sh spanning-tree vlan 501

VLAN0501

Spanning tree enabled protocol ieee

Root ID Priority 4597

Address 0008.e3ff.fc28

Cost 4

Port 77 (GigabitEthernet2/0/23)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33269 (priority 32768 sys-id-ext 501)

Address 0022.0ca9.8900

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi1/0/28 Desg FWD 4 128.28 P2p

Gi2/0/23 Root FWD 4 128.77 P2p

Show spanning tree at DR site:

dr01-3560#sh spanning-tree vlan 501

VLAN0501

Spanning tree enabled protocol ieee

Root ID Priority 4597

Address 0008.e3ff.fc28

Cost 8

Port 48 (GigabitEthernet0/48)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33269 (priority 32768 sys-id-ext 501)

Address 18ef.632d.0600

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Gi0/21 Desg FWD 4 128.21 P2p Edge

Gi0/48 Root FWD 4 128.48 P2p

Po10 Desg FWD 3 128.128 P2p

Po11 Desg FWD 3 128.136 P2p

Po12 Desg FWD 3 128.144 P2p

Hope this helps! Thanks!

Ryan Fisher · ‎08-11-2016

I'm wondering if the way the core switch is connected to the edge switch at HQ is messing with spanning tree?

This is how they're connected:

Port Channel, no switchport routed interface with IP address assigned on each end

SDED01-3750 Gig 2/1/24 to WS-C3750G Gig 2/0/24
SDED01-3750 Gig 1/1/24 to WS-C3750G Gig 1/0/24

Separate Trunk port, only allowing HSRP vlans

SDED01-3750 Gig 2/1/23 to WS-C3750G Gig 2/0/23

This was configured this way because originally the guys who built our network connected the core and the edge switch with a routed interface. That was fine, the edge didn't participate in VTP so it didn't get all the vlans from the core.

Then, when I wanted to extend the server vlan to the DR site, (which was connected through the edge switch) I had to have a trunk port to the edge for it to pass the HSRP information to the other site. So instead of removing the routed interface port channel, I added the third connection so it could pass through what it needed.

But now I'm wondering if STP is being messed with because of the way that is connected? Here are the interface configs for each switch

Core:

interface GigabitEthernet1/1/24

description Po100

no switchport

no ip address

channel-protocol lacp

channel-group 100 mode active

end

interface GigabitEthernet2/1/24

description Po100

no switchport

no ip address

channel-protocol lacp

channel-group 100 mode active

end

interface Port-channel100

description SDED01-3750 PC

no switchport

ip address 10.200.253.2 255.255.255.252

end

interface GigabitEthernet2/1/23

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 15,501,521,920

switchport mode trunk

switchport nonegotiate

end

Edge switch

interface GigabitEthernet1/0/24

description SDVCORE PO1 G1/1/24

no switchport

no ip address

logging event trunk-status

logging event bundle-status

channel-group 1 mode active

end

interface GigabitEthernet2/0/24

description SDVCORE PO1 G2/1/24

no switchport

no ip address

logging event trunk-status

logging event bundle-status

channel-group 1 mode active

end

interface Port-channel1

description ED-VCORE g1/0/24,g2/0/24

no switchport

ip address 10.200.253.1 255.255.255.252

no ip proxy-arp

end

interface GigabitEthernet2/0/23

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 15,501,521,920

switchport mode trunk

switchport nonegotiate

end

Thanks!

Kallol Bosu · ‎08-12-2016

Hey Ryan,

In short, I see HSRP is working as expected . Let me simplify your topology , I guess the hosts at Las Vegas site are going through EWAN to reach their default gateway which is at San Diego, right?

Packet flow from HSRP LAN to WAN sites-

===================================

1. HQ San Diego LAN---> HSRP active router-----> WAN-----Other sites like Austin

!

2. Las Vegas LAN (same subnet as San Diego)---> HSRP standby (L2)---> HSRP Active@ San Diego (gateway)-----WAN------Other sites like Austin

So that means , a host attached to Las Vegas LAN (physical) needs to cross the EWAN to reach it's default gateway first (San Diego) and then it will be routed to other sites through WAN. This itself will add some latency.

Packet flow from Austin to a host residing at San Diego

==================================

You are saying that when you ping from another site (say Austin) to San Diego then Austin router actually routes the packet through Las Vegas , right?

It completely depends on Routing metric/table that Austin router has, HSRP is not playing a role here as it can't influence the routing table of Austin or other WAN sites. Here we are talking about WAN side connectivity. I guess Austin router will have two routes to reach the HSRP LAN segment - one through San Diego link and other through Las Vegas circuit (assuming EWAN is just a layer 2) . Not sure which routing protocol you are using between the sites, can you not tweak the metric to make sure other sites will route the traffic to San Diego instead of Las Vegas?

Regards,

Kallol

HSRP Between two Sites routing through the standby?