cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2782
Views
0
Helpful
14
Replies

Local VLANs & HSRP

alistair777
Level 1
Level 1

Hi,

I have an access layer switch with two trunks facing two seperate routers which are connected together via a L3 link and L2 trunk (this is a mixed End-to-End VLAN and Local VLAN scenario).

I would like to use HSRP to have a virtual gateway for the interface VLAN in question - however this is a local VLAN and therefore no trunk ports on the access layer switch are blocked (V shaped).

My worry is that if I allow this VLAN on the trunk between the two routers I will have created a loop, is there anyway I can get the HSRP setup live without allowing it on the trunk between the router?

As stated this is a mixed End-to-End and Local VLAN design to only end-to-end VLANs are allowd on the trunk between the distribution/core to prevent loops. Would allowing a Local VLAN on the trunk create a loop or would the L3 link also on them (etherchannel) stop this L2 broadcast?

PS, the discussion at https://supportforums.cisco.com/discussion/12587771/l2l3-etherchannel may provide a better undestanding.

All help is much appreicated,

Thank you

1 Accepted Solution

Accepted Solutions

Basically yes.

STP only needs to block links if a loop forms at L2.

So if you have a pair of core/distro switches (sw1 and sw2) and an access switch (as1) and there is only one vlan on as1 -

1) if you connect as1 with L2 links to sw1 and sw2 and you have a L3 link between sw1 and sw2 then there is no L2 loop.

A broadcast could be sent on either link from as1 but it would be terminated on sw1 or sw2 depending on which uplink is used.

2) if you use a trunk between sw1 and sw2 and the vlan on as1 is allowed on the trunk then you now have a loop.

A broadcast sent from as1 on uplink to sw1 would be forwarded across the trunk to sw2 and back to as1 and then back to sw1 etc.

But STP would not allow that loop.

Before any traffic is forwarded (unless you are using Nexus switches) STP would break that loop by blocking one of the ports, usually one of the access switch uplink ports.

So now traffic cannot be looped because one of as1's ports simply doesn't forward the traffic.

A lot of redundant topologies have L2 loops but under normal circumstances STP will break that loop and only bring the port up if one of the other active ports fails.

There is absolutely nothing wrong with having L2 looped topologies as long as you run STP but equally there is nothing wrong with your L3 interconnect and it does have advantages in terms of uplink usage.

Obviously the L3 interconnect design works only for vlans that are confined to a single access switch but you can mix and match as it sounds like you have done.

Jon

View solution in original post

14 Replies 14

Hello,

I am a little confused. What is the purpose of trunk between two distributed switches If you did not allow any VLAN on trunk interface?

Did you configure PVST and specifiy root bridge priority?

It would help if you sketch your topology and share some part of your configuration on your distributed switches.

Masoud

Hi Masoud,

Yes PVST is configured and root brige on R1 is lowest with R2 as the secondary root bridge.

A trunk has been configured between the routers to allow end-to-end VLAN communication.

There is a L3 etherchannel (interface vlan 90) to pass traffic and a L2 trunk between them for end-to-end VLAN communication from L2 switches at the access layer.

My knowledge is that a L3 link is needed in a Local VLAN environment and L2 for End-to-End.

This is based on the fact that a L2 access switch will not block uplinks to the core routers as it is a V shaped topology (assuming it is not allowed on the trunk between them). So in effect the L3 SVI will stop the L2 broadcast such as an ARP request.

However for End-to-End VLANs, a switch as the access layer will block it's redundant uplink to the distribution layer so there is no need to worry about a loop forming.

The link I provided may give you more insight into the situation.

My question ultimately is how do I allow Local VLANs on the trunk between R1 and R2 without risking a L2 broadcast storm, if I do allow it on the trunk will RSTP on an access layer switch containing Local VLANs recognise the loop and mark one of it's port as "Alternate" where the adjacent port is lower priority.

Thanks,

If you have an access switch with a vlan that is only on that access switch and no others then both it's uplinks will be forwarding.

In which case you can run HSRP and the HSRP hellos will go via the access switch, no need to allow the vlan across your trunk interconnect.

In this scenario if your L3 devices support it then GLBP is a better choice because traffic would then use both uplinks.

What is important is that on your core/distro switches the only ports in that vlan are the ones for the links to the access switches because if an access switch uplink fails then you need the SVI on the corresponding core/distro switch to go down as well.

If it doesn't then both core/distro switches will be advertising that IP subnet to other parts of your network so return traffic to the access switch could come back to either core/distro switch and obviously with no L2 trunk between the pair then if traffic comes back to the switch with the failed link it will not be able to forward the traffic to the access switch.

Jon

Hi Jon,

Thanks for the response I thought so although I have observed the following:

The standby interface stays in Init mode, only when it is allowed on the trunk does the interface then switch to Standby. I have then tested failover and this works when the Active out of the pair is manually shutdown.

Is there anyway to configure Local VLANs with HSRP without adding it on the Layer 2 trunk?

Thanks again

I just updated my previous post.

The SVI must go down otherwise you get routing issues.

It should go down as long as the port(s) connecting to the access switch go down when they fail at the access switch end.

Is this not happening ?

Jon

Hi Jon,

Thanks for that I too updated mine yes I can see how that could be an issue if the Active HSRP interface was live but the uplink itself on the switched failed. 


That aside however would there be away to bring up both HSRP Active/Standby pair without allowing the Local VLAN on the trunk between the distribution layer?

My logic was that the interface VLAN for the active/standby addresses might prevent L2 broadcasts loops.

No there wouldn't.

For HSRP to work you need L2 adjacency and if an access switch uplink fails there is only a L3 path between the core/distro pair so it won't work.

You would have to allow the vlan across the trunk and in that case one of the links, preferably one of the access switch uplinks, would block.

Jon

Thanks for confirmation so are you saying it would be wise to switch to GLBP to get round the L2 loop issue (ie, ARP request broadcast looping) for Local VLANs in HSRP?

Two different things.

HSRP vs GLBP is about usage of your uplinks when everything is up and running ie. with HSRP all outbound traffic from the access switch only uses one link, the one to the HSRP active switch.

Inbound traffic to the access switch could use either link though.

GLBP uses both uplinks from the access switch.

Neither of them addresses a L2 loop issue, that is what STP does.

So if you allow the vlan on the trunk you have a loop but that doesn't mean broadcasts etc. will loop because STP steps in and blocks one of the links so there is no loop.

In that scenario HSRP is a better choice ie. match the STP root switch with the HSRP active switch.

There is nothing wrong with your idea of not allowing the vlan across the trunk link but, as I said before, you must make sure the SVI for the vlan on the core/distro switch with the failed link to the access switch goes down.

If it doesn't you will be dropping traffic.

Jon

Hi Jon,


I think my issue may arise with my understanding of STP - I posted a question a while ago concerning Local VLANs and created a lab in packet tracer. I could see that the uplinks were not blocked due to the V topology created. (No loop as the VLAN is not on the trunk)

But when it is added to the trunk the topology changes and spanning-tree detects the loop and blocks a port - is this what you are saying?

Basically yes.

STP only needs to block links if a loop forms at L2.

So if you have a pair of core/distro switches (sw1 and sw2) and an access switch (as1) and there is only one vlan on as1 -

1) if you connect as1 with L2 links to sw1 and sw2 and you have a L3 link between sw1 and sw2 then there is no L2 loop.

A broadcast could be sent on either link from as1 but it would be terminated on sw1 or sw2 depending on which uplink is used.

2) if you use a trunk between sw1 and sw2 and the vlan on as1 is allowed on the trunk then you now have a loop.

A broadcast sent from as1 on uplink to sw1 would be forwarded across the trunk to sw2 and back to as1 and then back to sw1 etc.

But STP would not allow that loop.

Before any traffic is forwarded (unless you are using Nexus switches) STP would break that loop by blocking one of the ports, usually one of the access switch uplink ports.

So now traffic cannot be looped because one of as1's ports simply doesn't forward the traffic.

A lot of redundant topologies have L2 loops but under normal circumstances STP will break that loop and only bring the port up if one of the other active ports fails.

There is absolutely nothing wrong with having L2 looped topologies as long as you run STP but equally there is nothing wrong with your L3 interconnect and it does have advantages in terms of uplink usage.

Obviously the L3 interconnect design works only for vlans that are confined to a single access switch but you can mix and match as it sounds like you have done.

Jon

Hello

May I provide a possible solution - this may be incorrect has I have read this post a few times and still cannot the hell of me understand the current topology - however Jon seems too and that good enough for me-

"I have an access layer switch with two trunks facing two seperate routers which are connected together via a L3 link and L2 trunk (this is a mixed End-to-End VLAN and Local VLAN scenario)."

With the above statement would a possibility of Flex link be applicable - Specify a primary access trunk with preemption and mac update move feature set for vlan 100, this way if the primary trunk interface goes down then the secondary trunk will be activated and mac- address update sent via the secondary link.

 

As I said I don’t 100% understand the topology so this is really a shot in the dark and if this is not applicable apologies -

example:
interface x/x
Descritpton Primary trunk
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100
switchport mode trunk
switchport backup interface Fa0/2
switchport backup interface Fa0/2 mmu primary vlan 100 <------ mac move update
switchport backup interface Fa0/2 preemption mode forced <------specifys back link with preemption


res
Paul

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello,

Just adding to Jon .

STP and HSRP work independently. STP is a protocol for loop prevention.

HSRP is a protocol providing gateway redundancy if failure happens. (sharing gatway on two switches)

HSRP is not the cause of the loop. cause of loop is misconfiguration of STP. Allowing VLAN on the trunk may cause the loop if STP does not work well.

You need to configure STP correctly and allow VLANs on the trunk. Afterward, configuring HSRP is only a few steps.

Masoud

The SVI won't block L2 loops because it is a L3 interface.

That is what STP is for.

Jon

Review Cisco Networking for a $25 gift card