But I need to configure first HSRP in the switch L3, right? I have never configured hsrp.

The topology provided doesn't really indicate the need for HSRP. There is no place to run HSRP.

In a general sense, if there were two principal switches operating at Layer 3, with each connected to one ISP and switch 0, 1 and 2 had uplinks to each, then it would make sense to run HSRP between the two principal switches. So if one failed the other would take over.

Hope this helps, and if necessary please elaborate further on what you are trying to accomplish.

Regards

Thanks for reply.

Ok. I have a secundary isp because sometimes my primary isp is down. I want to have a redundant link that if my principal ISP is down, my secundary start working immediately (yes, with the respect relay). 

I understand you about use two switch L3. But, why can't I use just one L3 with a vlan between ISP1 and ISP2?

Regards,

I understand you about use two switch L3. But, why can't I use just one L3 with a vlan between ISP1 and ISP2?

As I said before, the ISPs don't run HSRP or VRRP on their side and in this case you don't need it.

Ok. I have a secundary isp because sometimes my primary isp is down. I want to have a redundant link that if my principal ISP is down, my secundary start working immediately (yes, with the respect relay). 

Run layer-3 on your switch and all you need is 2 /30s (one to each ISP) and 2 default routers (one to each ISP) configured on your switch. With this config, if the primary ISP fails the backup will take over without any downtime.  When both ISPs are up and running, the traffic will be load balanced to both ISPs.

HTH

Ok understand.

Is this design better?

Two switch L3 for HSRP (one switch to ISP) and other switch L3(Switch 0) for connect my all network.

Yes, this design gives you redundancy.  So, if the 3560 on the left side fails, you have another one on the right side to use. You can run HSRP or VRRP between the 2 3560s for outbound traffic exiting your network.

HTH

Perfect!

But I have some doubts using HSRP:

1. I have multiple vlans. In this design I have 3, but in my real design I have 20 vlans. Question is, how the multiple vlans will work with HSRP if I have multiple gateway with the vlans?

Can I do multiple HSRP group for the different vlans? 

Also, "In order to avoid possible problems when by accident two broadcast domains are joined I would use HSRP with authentication using a different password in each vlan", right?

PD: I don't use DHCP in my network for the Gateway IP

2. If I do a configuration in 3560 Multilayer SW-1, Do I have to do the same configuration in the other one?

Thanks,

It does not matter how many vlans you have. You just create one HSRP instance per vlan and you make say the left side HSRP master by giving it a higher priority and keep the right side as default. All vlans would traverse the left side to get out and if the left side switch fails, the right side will take over packet forwarding. The config for both switches is the same except the physical IP address and the priority which only the master side need it.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/xe-3s/fhp-xe-3s-book/fhp-hsrp.html

HTH

I did the configuration of the HSRP in both switch, but when I down the interface from the router1 -> sw1 is not working, because the packet must go from sw-2 -> router2.

This is the HSRP configuration, SW-1-L3

Vlan209 - Group 1

State is Active

7 state changes, last state change 00:15:58

Virtual IP address is 190.191.209.30

Active virtual MAC address is 0000.0C07.AC01

Local virtual MAC address is 0000.0C07.AC01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 2.893 secs

Preemption enabled

Active router is local

Standby router is 190.191.209.3

Priority 200 (configured 200)

Group name is hsrp-Vl2-1 (default)

SW-2-L3

Vlan209 - Group 1

State is Standby

3 state changes, last state change 00:16:21

Virtual IP address is 190.191.209.30

Active virtual MAC address is 0000.0C07.AC01

Local virtual MAC address is 0000.0C07.AC01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 1.829 secs

Preemption enabled

Active router is 190.191.209.2

Standby router is local

Priority 150 (configured 150)

Group name is hsrp-Vl2-1 (default)

Thanks,

I did the configuration of the HSRP, but is not working. I down the interface fa0/1 from SW-ISP-1 and not working.

This is my confguration in the sw-ISP-1

interface Vlan209

mac-address 00d0.bacc.1201

ip address 190.191.209.2 255.255.255.0

standby 1 ip 190.191.209.30

standby 1 priority 200

standby 1 preempt

and in the sw-isp-2

interface Vlan209

mac-address 0002.165b.5101

ip address 190.191.209.3 255.255.255.0

standby 1 ip 190.191.209.30

standby 1 priority 150

standby 1 preempt

!

What am I doing wrong?

Thanks,

So, a couple of comments regarding your config.

1-You don't need the "mac-address x.x.x" commands

2-Also, on the sw-isp-2 you don't need the preamp and priority commands:

here are the commands with changes:

sw-ISP-1

interface Vlan209

ip address 190.191.209.2 255.255.255.0

standby 1 ip 190.191.209.30

standby 1 priority 200

standby 1 preempt

and in the sw-isp-2

ip address 190.191.209.3 255.255.255.0

standby 1 ip 190.191.209.30

Questions:

Are you running a layer-3 link between the sw-isp-1 and sw-isp-2 (fa0/1)?

Can you ping all ips  .2, .3 and 30?

If hsrp working as expected, try to shut down interface fa0/2 on sw-isp-1.  Does the traffic failover to sw-isp-2?

What is the output of "sh standby"?

HTH

1. Yes, i am running a layer-3 link betwen both sw-1 and sw-2.

2. Yes, I can ping .2, .3, .30

3. I shut down interface fa0/2 on sw-isp-1 and the traffic failover to sw-isp-2 to ISP1.

I can ping ISP1 from host with vlan 209, but I can't ping ISP2.

here the standby output:

SW-1:

Vlan209 - Group 1

State is Active

7 state changes, last state change 00:00:21

Virtual IP address is 190.191.209.30

Active virtual MAC address is 0000.0C07.AC01

Local virtual MAC address is 0000.0C07.AC01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 0.017 secs

Preemption enabled

Active router is local

Standby router is 190.191.209.3, priority 150 (expires in 8 sec)

Priority 200 (configured 200)

Group name is hsrp-Vl2-1 (default)

SW-2:

Vlan209 - Group 1

State is Standby

8 state changes, last state change 00:00:40

Virtual IP address is 190.191.209.30

Active virtual MAC address is 0000.0C07.AC01

Local virtual MAC address is 0000.0C07.AC01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 1.166 secs

Preemption disabled

Active router is 190.191.209.2, priority 200 (expires in 8 sec)

MAC address is 0000.0C07.AC01

Standby router is local

Priority 150 (configured 150)

Group name is hsrp-Vl2-1 (default)

This's what I need. Fa0/1 Sw-ISP-1 is down, failover the traffic to SW-ISP-2 -> Router2

Thanks,

Ok, so all is working except when fa0/1 is shut down.

This's what I need. Fa0/1 Sw-ISP-1 is down, failover the traffic to SW-ISP-2 -> Router2

for this to work, you need to configure HSRP tracking.

Have a look at this link for config examples:

https://www.cisco.com/c/en/us/td/docs/switches/blades/3040/software/release/12-2_44_se/configuration/guide/swhsrp.html#wp1083935

HTH