Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4568
Views
15
Helpful
4
Replies

Split-brain conundrum with HSRP

Go to solution
mike0000111111
Level 1
Level 1

‎02-28-2015 12:05 PM - edited ‎03-07-2019 10:53 PM

Hi Cisco Experts:

 

I have a split-brain issue with HSRP running on (2x) 3560 switches.  If my ether-channel goes down between my two 3560 switches, HSRP is going to make both switches active gateways for the same subnet - effectively splitting my subnet and creating a black hole scenario.  How do I mitigate Split-Brain given the following requirements? 

I'd like to maintain the following in my topology design:

  1. I'd like the vlan's to cross switches without needing to first be routed.  (I.e., I don't want to turn my etherchannel into a routed channel.)
  2. I don't want to place all Vlan's and their corresponding SVI's on the same switch. (E.g., I don't want all Voice VLan Devices and corresponding Voice VLanSVI to be on the same switch.)
  3. I definitely want routing to be done by the L3 Switches.
  4. I could just create a second Ether-Channel, but then I'd have a switching loop - which I want to avoid.
  5. I don't want to buy more equipment.

Things that can change.

  1. I don't have to use HSRP - any FHRP will work for me.
  2. Anything else not specifically mentioned above in the topology design.

Topology Graphic included:

 

Thank you very much for your time,

 

-Mike

Labels:
Preview file
44 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-28-2015 01:41 PM

Mike

That is why you use etherchannel, that is how you mitigate the failure.

It is highly unlikely all ports in the etherchannel will fail and if they do in all likelihood this means one of the switches has failed in which case no problem.

That said, presumably you have access switches connected to both 3560s or else why run HSRP. And each access switch is blocking per vlan on one of it's uplinks due to STP.

In which case even if the entire etherchannel failed you still wouldn't get both switches going active for HSRP because STP would start forwarding on the previously blocked link so HSRP messages between the 3560s could flow via the access layer switches.

Edit - depending on vlan placement on switches it's complicated as to whether all access switches would unblock their links or just one access switch per vlan but you still have a path between your 3560s for that vlan via at least one access switch.

Jon

View solution in original post

4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-28-2015 01:41 PM

Mike

That is why you use etherchannel, that is how you mitigate the failure.

It is highly unlikely all ports in the etherchannel will fail and if they do in all likelihood this means one of the switches has failed in which case no problem.

That said, presumably you have access switches connected to both 3560s or else why run HSRP. And each access switch is blocking per vlan on one of it's uplinks due to STP.

In which case even if the entire etherchannel failed you still wouldn't get both switches going active for HSRP because STP would start forwarding on the previously blocked link so HSRP messages between the 3560s could flow via the access layer switches.

Edit - depending on vlan placement on switches it's complicated as to whether all access switches would unblock their links or just one access switch per vlan but you still have a path between your 3560s for that vlan via at least one access switch.

Jon

Go to solution
mike0000111111
Level 1
Level 1
In response to Jon Marshall

‎02-28-2015 02:36 PM

Hi Jon:

Thank you for the reply.  

I have two quick follow-up questions: 1) Is it likely, given default timings, that HSRP could go dual-active before STP can unblock the access switch links?  2) Are there any common issues where PAgP takes a dive and renders all associated ports inoperable - resulting in a dual-active scenario?

Thanks,

Mike

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to mike0000111111

‎02-28-2015 03:28 PM

Mike

1) It depends on the version of STP you are running.

With standard STP ie. not RSTP then yes because it could take up to 50 seconds for STP to unblock the link whereas HSRP standard timers are 3 seconds for each hello and if the standby router does not receive a hello for 10 seconds it will go active.

There are some optimisations with STP that can speed up convergence but even with those HSRP could still be quicker.

With RSTP as long as you have configured the ports correctly then it should be able to unblock in time.

2) I haven't seen any major issues to be honest. The one major related issue with etherchannel is if you need to add configuration and people configure the individual ports rather than the port channel interface which can cause inconsistencies between ports meaning they can drop out of the etherchannel with potential STP loops.

On the whole from my experience etherchannels are reliable once setup correctly. I have seen more problems with actual switches crashing or reloading etc. although that may just be my experience.

Jon

 

Go to solution
mike0000111111
Level 1
Level 1
In response to Jon Marshall

‎02-28-2015 03:32 PM

Thank you very much, Jon.  Enjoy your weekend!

-Mike

0 Helpful
Customers Also Viewed These Support Documents