I am sorry, this is just a basic setup. I have other switches beyond Admin and Inbound.

however If Admin switch is down, I suppose to ping router from Inbound switch. but it didn't happened. pls help

Can you just confirm what IPs you are trying to ping and from which devices and what works and what doesn't ?

Jon

Hi Jon,

I am trying to ping from (inbound switch) 192.168.1.4 to reach the router IP 192.168.1.1

Can you help with the correct config pls?

That won't work because your admin switch is directly connected to the 192.168.1.x subnet so it can ping but your inbound switch isn't and it would have to be directly connected because it has an interface in that subnet. 

If your switches are L3 as they appear to be and your are routing on them I would go with Rick's suggestion of using a routing protocol as this would make things simpler. 

Jon

I think the issue is we are not sure what it is you are trying to achieve. 

If the admin and inbound switches are meant to do routing for end devices then HSRP would make sense but your configurations don't suggest any end client vlans which I think is why Rick suggested using a routing protocol. 

If you are just trying to create a redundant path between your switches and the router then a routing protocol is the way to go and you don't really need HSRP but it may be that are reasons you are doing this that are not part of your network diagram.

Jon

I agree that the information we have been given so far is very incomplete and gives a mixed impassion of what is going on. In one response we are told "I have other switches beyond Admin and Inbound." but are given no information about them, what the connections are, or how they are being used. Looking at the (very incomplete) config of the router we see one interface leading to outside, and two interfaces, each with a separate subnet, connecting to 2 switches. This clearly suggests that these connections are transit links. That inter vlan routing is done on the switches and that they forward to the router any traffic going outside. And in that kind of environment my suggestion of a dynamic routing protocol would provide the failover capability that is desired.

But looking at the switches we get a very different impression. We see trunk ports but have no information about what vlans they carry. We have 2 static default routes but no other information about any routing logic on the switches. They do not seem to be using the links from switch to router as transit links. The HSRP might make sense if there were downstream devices connected in this vlan and trying to determine which upstream switch for forward traffic to. But the HSRP seems to be intended to help with connection to the router, but it is not effective for this.

As a side note: HSRP with tracking for an interface can be effective. If the interface changes state to down then track would decrease the priority for HSRP and could potentially allow the other peer to assume the active role. But if track is tracking a vlan SVI (and where the vlan is carried on a trunk) then what could make the interface change state to down???

To the original poster: we need much better information if we are to offer good advice. Perhaps starting with an explanation of the architecture of this network, and focusing on where layer 2 logic is implemented (vlans and trunks) and where layer 3 logic is implemented (routing between vlans, routing to reach outside, etc)

Hi Rick/Jon/Georg,

Thanks for your valuable time. Please apologize & sorry for the confusions.

Attached please find an updated diagram and the revised configs of all devices.

Please send me a sample rip/eigrp or bgp config to achieve a full redundant link.

Summary:- 

Successful ping stats

I am able to ping 8.8.8.8 from Admin/Inbound/Security switches

                   ping 192.168.1.1 from Admin/Inbound/Security switches

                   ping successful between each switches & router. 

                   ping 192.168.10.1 successful only from Security switch  

Unsuccessful ping stats                   

                  unable to ping 192.168.10.1 from from Admin/Inbound switches

                  unable to ping 192.168.10.2 & .3 from Router to Admin/Inbound switches

I understood there must be wrong configs. Can you help me with how can I achieve a full redundant link with the attached topology.

I want Security switch to access internet in the event of failure either Admin or Inbound Switches. So there shouldn't be any impact or outage if any core devices are down.

I really appreciate your help and revised config pls.

Regards

Rz

I have looked at the new information. It seems the obvious problem at this point is with accessing anything in the 192.168.10.0 network. While there are multiple issues let me identify the major part. On the router config 192.168.10.1 is on an Ethernet interface which is not configured to process a trunk connection. On Inbound switch the interface which is identified as connecting to the router is configured as a trunk. And to compound the issue on Inbound switch the IP address 192.168.10.4 is configured on an Ethernet interface not the one connecting to the router (and as far as I can tell not part of a vlan).

I am going to make some suggestions which I hope might help you with the issues. When we are talking about routing it can be helpful to think separately about routing outside your network and routing inside your network. The most recent information looks like routing outside of your network is set up and working ok. The router seems to have a working default route and I am assuming that either your router is configured to do Network Address Translation or perhaps the upstream device is. I do not see any reason to change that. But I think that you do need to change the routing for inside your network.

For routing inside your network you have 2 main choices: you can route for the networks and subnets inside your network on the router or you can route for them on the switches (Inbound and Admin). You need to decide which you prefer and then to make changes to implement that decision.

- if you choose to do the inside routing on the router then the connection of router to both switches needs to be trunks. These trunks need to carry all of the vlans and the router needs vlan subinterfaces for all of the vlans. In this implementation both Inbound and Admin switches should be just layer 2 aggregation switches (ip routing not enabled on these switches). In this implementation you do not need a dynamic routing protocol.

- if you choose to do the inside routing on the switches then the connection of router to these switches can be an Ethernet interface (not a trunk). The connection of router to each switch should be a separate network/subnet. Each switch should have ip routing enabled. The router will learn the networks/subnets of inside by running a dynamic routing protocol with both switches. The switches will have the vlans and vlan subinterfaces for all of the inside networks/subnets and will advertise the networks/subnets to the router. The router will advertise its default route to the switches. This will provide the failover capability that you are trying to achieve.

It is your choice to make. After you make your choice we can help to identify the config changes that you will need. If I were making the choice I would choose the alternative of routing inside done on the switches.

If you want to create a failover environment my suggestion is that your best solution would be to run a dynamic routing protocol (probably OSPF or EIGRP but RIP would do) between the router and the switches. Let the router generate a default route and advertise it to the switches. Then if a switch fails the routing protocol will recognize that event and converge finding a new path that works.

There are multiple issues with your approach of having 2 static default routes on each switch, one of which is that for a static route to be withdrawn from the routing table the interface it uses must go line protocol down but with the trunk the interface is not likely to go line protocol down.

Thank you Richard. Let me try that as well and revert back.

Hello,

are the Admin and Inbound switches layer 3 switches serving downstream LAN clients ?

Hello,

try the configs below. This is a standard HSRP setup with interface tracking.

Router Config

interface Ethernet0/0
description Link to Admin Switch
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
full-duplex
!
interface Ethernet1/0
ip address dhcp
ip nat outside
ip virtual-reassembly
full-duplex
!
interface Ethernet1/1
description Link to Inbound Switch
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
full-duplex
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Ethernet1/0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0
!
ip route 0.0.0.0 0.0.0.0 Ethernet1/0 dhcp
no cdp log mismatch duplex

Admin Switch

ip cef
ip routing
ip name-server 8.8.8.8
!
ip tcp synwait-time 5
!
interface FastEthernet0/0
description Link to Inbound Switch
ip address 192.168.10.2 255.255.255.0
standby 1 ip 192.168.1.1
standby 1 priority 105
standby 1 preempt
standby 1 track Vlan 1
duplex auto
!
interface FastEthernet1/0
description Trunk to R2
switchport mode trunk
!
interface Vlan1
description Link to R2
ip address 192.168.1.2 255.255.255.0
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1

no cdp log mismatch duplex
!
control-plane
!
end

Inbound SW configs

ip routing
ip name-server 8.8.8.8
!
ip tcp synwait-time 5
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description link to Admin Switch
ip address 192.168.10.3 255.255.255.0
standby 1 ip 192.168.10.1
standby 1 track Vlan 1
duplex auto
speed auto
!
interface FastEthernet1/0
desccription Link to R2
switchport mode trunk
!
interface Vlan1
ip address 192.168.1.4 255.255.255.0
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.10.1
!
no cdp log mismatch duplex
!
control-plane
!
end