HSRP on LAN and WAN interface

quintin · ‎05-10-2012

Hello,

I currently use L3 switches as edge routers to my WAN. I want to use a pair of 3560x switches with IPbase to provide a failover path to my WAN using HSRP at one location but had some problems testing the configuration. My plan is use a virtual address on the LAN interface (VLANx which port gi0/1 accesses) and the WAN interface (VLANy which port gi0/24 accesses). I want switch 1 to be primary since it will have an IPS attached to it, and switch 2 will be backup and used only when switch 1 or the IPS requires maintenance. On both the LAN and WAN sides there is no advanced routing going on, the various hosts just depend on the availability of their respective default gateways, so HSRP should be sufficient to provide a failover in either direction.

In my testing I got 1 or the other link to fail over but not the entire switch. What should my config look like to achieve failover of the entire switch in the event 1 or the other interface goes down, and fail back when the primary links are again available?

Giuseppe Larosa · ‎05-10-2012

Hello Quintin,

you need to combine preemption with interface tracking

preemption provides the capability for the device with the higher priority to take the role of active router in HSRP group.

Tracking allows to reduce HSRP priority if a monitored interface fails.

see config guide for HSRP

http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp_fhrp/configuration/12-4t/fhp-hsrp.html#GUID-1B905648-DF2B-4B68-9821-594EA794A176

Hope to help

Giuseppe

rettuc_ccnp · ‎05-10-2012

WAN device

| |

SW1-------- SW2

So, if I understand this correctly you want SW1 to be your primary path for traffic going to the WAN device and the secondary path to be from SW2 to your WAN device. If this is the case there are a few things to consider for a proper and predictable overall design which goes beyond just who is primary for WAN traffic.

1. configure SW1 to be your spanning-tree root bridge. I would recommend setting SW1 priority to 4096 and SW2 priority to 8192. This will just get your devices in sync on who is primary for L2 and L3 traffic. I personally like this because it establishes a degree of intuitive predictability.

2. now for HSRP.

SW1 configuration should look like this SW2 configuration should look

interface Vlan [vlan-id] interface Vlan [vlan-id] <--- same vlan-id as SW1

standby 1 ip X.Y.Z.1 standby 1 ip X.Y.Z.1 <--- same virtual ip configured on SW1

standby 1 priority 120 standby 1 priority 110

standby 1 preempt

If I'm understanding your requirements the above should be all you need. The "preempt" configuration on SW1 will allow it to be the primary once it becomes reachable again.

quintin · ‎05-10-2012

Thank you both.

rettuc, shouldn't tracking come into play as Giuseppe indicated? And how would configuring spanning tree on these devices affect the rest of the network? the G10/1 interfaces of these devices would be pluggedd into a switch stack comprising my core network and routes.

rettuc_ccnp · ‎05-10-2012

I was working on a number of other things and tracking completely slipped my mind, but yes...Giuseppe is on track, pun intended

So adding tracking changes the configuration I previously posted to the following (noted by *);

2. now for HSRP.

SW1 configuration should look like this SW2 configuration should look

interface Vlan [vlan-id] interface Vlan [vlan-id] <--- same vlan-id as SW1

standby 1 ip X.Y.Z.1 standby 1 ip X.Y.Z.1 <--- same virtual ip configured on SW1

standby 1 priority 120 standby 1 priority 110

standby 1 preempt * standby 1 preempt

* standby 1 track [interface] 40 * standby 1 track [interface] 40

NOTE:

- I added preempt on SW2 so it will take the active role when the priority on SW1 is reduced due to link failure

- I added tracking to SW2 because you don't need it to have a higher priority, thus allowing it to take the active role, if its tracked interface to the WAN device goes down before or at the same time the tracked link between SW1 and the WAN device goes down. In this scenario there is no benefit in changing who is the active standby. Without this added to SW2 its priority will remain at 110 when its link to your WAN devices drops while SW1's priority will decrement by 40.

Hope this helps!

rettuc_ccnp · ‎05-10-2012

oh yeah forgot to answer the spanning-tree question.

My suggestion regarding spanning-tree root was just an additional suggestion...separate from the HSRP question.

In my honest opinion when engineering traffic behavior it's best to design both L2 and L3 from the same perspective. In this case HSRP is identifying SW1 as primary and SW2 as secondary from a layer 3 perspective while my spanning-tree suggestion identifies SW1 as primary and SW2 as secondary from a layer 2 perspective.

quintin · ‎05-15-2012

Thank you all. I was able to do what I needed in a lab environment, so now I just need to apply it to the equipment I want in on. Thanks so much for your help and advice.

quintin · ‎10-18-2012

To all who helped with this previously, thank you. There is one thing that I have found though that is confusing.
In testing the set up before implementing I have a PC on the wan side trying to ping from the wan interface of the switches, through the LAN interface , through the fa0/1interface of a router on the LAN side, to the fa0/1 interface on the other side of the router. If I pull the cable on the Wan side, fail over takes place in about 15 to 30 seconds and my ping continues. If I pull the cable on the LAN side though, fail over takes place after about 2 1/2 minutes. I was thinking there may be some routing or arp issue, but the router has as it's default route the standby LAN address of the standby pair, and of course, the Mac address for that reflects the virtual Mac of the standby address. Any ideas why 1 fail over is so much longer than the other?

Sent from Cisco Technical Support Android App