11-15-2014 12:18 PM - edited 03-07-2019 09:31 PM
I am trying to learn as much as possible about networking and cisco. I trying to build the following network to practice redundancy. I set up HSRP on my routers because it the only protocol available on packet tracer. The following setup works but how would I go about adding the vlans to switch ALPHA and switch BETA. I would like to use access list for security, for example Sales can't access Accounting but Accounting can access sales. I can do that with one layer 3 switch but how do I do it with 2? Do I add the same VLans to both switches? Should the configurations to both switches be exactly the same? Because I tried that and for some reason the Vlans could not communicate unless I changed the interface to dot1q and trunk mode. I thought it be easier to change all interfaces at one time but when I tried that STP failed. I tried setting only the interfaces being used to dot1q and trunk mode on one switch it worked but as soon as I did it for the other STP failed again. Read layer 3 switches can have HSRP but seems like a waste of a switch. Ive looked online and can't seem to figure it out. So my question is how do I set this up, I would like to add hosts and a server later but I can't even get this to work. Hopefully someone can help me out with this as I find it very interesting and am eager to figure it out.
11-15-2014 12:33 PM
Carlos,
Your 3560s, along with the other switches depending on what you're trying to do, will need to have the same vlans configured on them. Think of it this way, if you're passing traffic through a switch in one vlan, and that switch were to go down, redundancy would fail because the other switch doesn't know about the vlan. So that's one reason why you need to carry that vlan everywhere.
I'm not sure where your actual issue is though. The two routers only need to be in their respective vlans. Let's say you're using vlan 1 on 192.168.1.0/24. The standby ips are 192.168.1.1 on the routers with .2 and .3 being the physical addresses. The routers only need to be access ports to vlan 1. You don't need subinterfaces or anything like that on the routers since the switches are doing the routing for you.
The switches on the other hand will be doing the routing. For failover to work between these, you would also need hsrp configured on the vlan svis:
Alpha
int vlan 10
ip address 10.10.10.2 255.255.255.0
standby 1 ip 10.10.10.1
Beta
ip address 10.10.10.3 255.255.255.0
standby 1 ip 10.10.10.1
All of the hosts in that vlan would use 10.10.10.1 as the default gateway and if the primary in your hsrp group were to go down, then you would fail over to the beta switch.
HTH,
John
11-15-2014 01:12 PM
Ok thanks again John. I will set that up as soon as I can. But the issue I was having don't know if its because of HSRP not configured but when I did identical configs on both switches I couldn't ping between Vlans unless I changed the interface, for example the interfaces between Sales to Alpha then Alpha to Marketing, using the command
Switch(config-if)#int f0/?
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode trunk
for both interfaces.
It worked ok until I did the same thing for the interfaces between Alpha and Beta then STP turned off and everything started blinking. But I had to because I couldn't get to Accounting without doing that to Beta since STP blocks ports and sends traffic through Beta also.The I tried using the same command on all the interfaces for Vlan switches Sales, Marketing, Acc instead of Alpha or Beta to try something different and same thing happened. Not sure if you know why its happening? Wrong interface encapsulation or mode on either side? needed HSRP?
Basically if I change all interfaces on Alpha and Beta to dot1q and trunk mode STP fails or if I change all the interfaces and the bottom switches to dot1q and trunk mode everything also fails.
I guess I try what you said first if it fails I show you what I'm talking about.
Thanks,
John
11-15-2014 03:37 PM
Carlos,
It's good what you're doing but your "design" is about to get outdated. You're not wasting your time because you're learning the "basics", however, the advent of virtual/stacking switches now makes HSRP almost irrelevant.
11-15-2014 05:25 PM
Leo,
For my own clarification, how is hsrp being dated? Is there another techology that's replacing it? Admittedly, I don't have virtual switches, so there's probably a design advantage to that. We've been fighting tooth and nail to stay away from them. :)
Thanks!
John
11-16-2014 04:33 AM
For my own clarification, how is hsrp being dated?
HSRP is not "dated". The use of HSRP in the network still exist but less prevalent nowadays. A good example is the above network diagram. Core/Distro switches are 3560. Now what happens if you have, for example, 3750, 3650/3850 or 2960S/X/XR or a VSS pair of 4500R+E or 6500/6800-X chassis. If you stack the Core/Distro together, then you can do away with HSRP. The access switches can be linked up using Etherchannel.
Is there another techology that's replacing it? Admittedly, I don't have virtual switches, so there's probably a design advantage to that. We've been fighting tooth and nail to stay away from them.
VSS, if done properly, is actually good. I've got a pair of VSS that houses my entire wireless network. No issues (other than a supervisor failure, but that's another issue).
11-16-2014 04:33 AM
Thanks! :) I've heard about VSS, but I haven't been able to use it yet unfortunately. I'm not sure the equipment we use supports it...
11-17-2014 02:11 AM
I would agree with Leo on the VSS, its a great thing to introduce if you have the budget for it.
11-15-2014 05:24 PM
Carlos,
I'm not 100% certain why it did what you're saying. Packet tracer is not real equipment, so you may notice some anomalies when configuring something. You may think something should work, but PT wigs out and doesn't allow it to work. We've seen it a bunch of times in the past. When STP blocks ports, it will tell you why. When you're trunking a port, it can usually block due to mismatched vlans, port types (trunk on one end and access on the other), etc. What you could do is shut one of the port that you're configuring before you configure the other side. For example, if fa0/1 on Alpha is connected to fa0/1 on Beta, shut the port on Beta down before you configure Alpha. When finished, configure Beta and then bring the port up.
HTH,
John
11-17-2014 11:45 AM
Hi John,
I think I did everything you told me and build the network but still not working. Here the topology:
PC1 and PC2 can ping everything: Internet Server, ALPHA, BETA, each other (oddly enough they can't ping the virtual router 10.1.1.10 probably and issue later but still working)
SPC and MPC hosts can only the next hop switch and nothing after that. Can't ping routers, internet, or each other.
Sales and Marketing Switch can not ping ALPHA or BETA.
I assuming something is wrong with Alpha and Beta because their routing tables don't show vlan 2 or vlan 3.
I added my run configs and other stuff in a separate attachment and also my packet tracer file. I hope you can help me figure this out.
Thank you.
Also to Leo and everyone else really appreciate the info on VSS, I'm to new to understand that but I will make sure to start reading on that too.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide