Cisco High availavility tracking

_Gonzalo__Gonzalo_ Posts: 113Member
Hi all,


I have repeatedly been told by my teachers that the interfaces I should track (assuming a cisco campus topology with core and distribution layers, with intervlan routing placed on distribution) when using either HSRP or GLBP are the ones that go up to core layer. I don´t completely argue with that, but:


As hosts on the same vlan should be in the same switch, wouldn´t it be more important to track the layer 2 link that connects distribution with access?


And question B: Is there any scenario where distribution multilayer switches are connected by a layer 2 link?

I love reading, especially interesting things, so please don´t be afraid to elaborate.

Thanks in advance.
«1

Comments

  • networker050184networker050184 Posts: 11,962Mod Mod
    First to asnwer question B, yes there is usually a L2 link between dist switches that share an HSRP pair. HSRP needs L2 connectivity obviously and relying on the access layer for this is not the best idea. You don't want the operation of your distribution layer tied to the access layer.

    So now that you know the answer to question B it makes A a little easier to answer. You have L2 connectivity through out so it really doesn't matter if the down link (towards the access layer) goes down. The switches still have a clear L2 path to the gateway.

    Now looking at the uplink scenario you have to take several things into account. Most importantly you do not want hosts sending traffic to a gateway that does not in turn have a way to forward the traffic upstream. So when a dist loses it's uplinks it makes sense to have it relinquish the gateway. If you only tracked the L2 down links L3 traffic would still arrive at the dist via routing (whether it is the HSRP active gateway or not) and the dist have no way to forward it downstream causing a black hole.
    An expert is a man who has made all the mistakes which can be made.
  • _Gonzalo__Gonzalo_ Posts: 113Member
    First to asnwer question B, yes there is usually a L2 link between dist switches that share an HSRP pair. HSRP needs L2 connectivity obviously and relying on the access layer for this is not the best idea. You don't want the operation of your distribution layer tied to the access layer.

    This makes perfect sense. I guess it should be either L2 or, ideally, stacked.

    But I still have some doubts about question a. I´ll stick to HSRP, as it´s more obvious because there is only one gateway. I´ll try to picture it:

    D1-D2
    | X |
    A1 A2

    Let´s say that all hosts on VLAN 1 are connected to A1. D1 is the HSRP active and STP root. In this case, we´ll have all D1 links as designated, and the remaining D2 links in blocking state, so the resulting STP topology would be:

    D1-D2
    | \
    A1 A2

    If link D1-A1 goes down, STP recalculates and D2-A1 will go designated. But as no track is configured, HSRP active router will still be D1, as:

    D1-D2
    . X
    A1 A2

    The result is that traffic on VLAN 10 goes to D2 on its path to D1. My doubt is not "Will it work?" It is "Is it worth it?" I know that layer 2 is way faster than layer 3, but would it not make sense for D2 to be the active gateway here, instead of forwarding to D1? On the other hand, it might be too intense for one router to handle all layer 3 LAN traffic... But if so, redundancy would not be doing what it is supposed to do...
  • networker050184networker050184 Posts: 11,962Mod Mod
    I see where you are coming from, but you have to ask yourself what are you buying yourself? What problem are you solving? The answer really is nothing but to make it seem more symmetric for your own sake really.

    You are also thinking of a perfect world where all VLAN members are on a single access switch when in reality they are likely to span multiple access switches in a switch block. What, John from accounting is moving to another desk serviced by another access switch but needs to remain on the accounting VLAN? That throws a hole in the VLAN plan! Then what? When do you fail the HSRP over? When a single access switch loses it's uplink? Five out of ten access switches? It starts to become a bit more complicated and not worth the trouble at that point.
    An expert is a man who has made all the mistakes which can be made.
  • gorebrushgorebrush Posts: 2,741Member
    The best HSRP solutions I've seen have all been the ones where they track a crossover interface between them and not have EOT's out their WAN links. It makes the whole solution a waste of time because as long as each router can see it's partner, but the WAN link has gone down - the failover never occurs. It's worthless.
  • _Gonzalo__Gonzalo_ Posts: 113Member
    You are also thinking of a perfect world where all VLAN members are on a single access switch when in reality they are likely to span multiple access switches in a switch block.

    That´s just my lack of experience in real networks. :)
    So that perfect world only exists in theory. Fair enough. Anyway, my goal here is to try to understand redundancy logics. And I believe that knowledge to be interesting, because even if I´d never be able to implement it, at least I will be able to get as close to it as particular circumstances let me. It looks like you imply that it could be a good solution, given those "perfect world" conditions. Is that so?

    Another one. Is it really common to find that sort of topology? VLANs scattered through all access layer? It might be, but it strikes me as odd...
    gorebrush wrote: »
    The best HSRP solutions I've seen have all been the ones where they track a crossover interface between them and not have EOT's out their WAN links. It makes the whole solution a waste of time because as long as each router can see it's partner, but the WAN link has gone down - the failover never occurs. It's worthless.

    Sorry man, I don´t know what EOT means and implies, so that kind of makes me miss your point.
  • gorebrushgorebrush Posts: 2,741Member
    enhanced object tracking.......
  • instant000instant000 Posts: 1,745Member
    It may be odd to you, but VLANs are scattered through the access layer often.

    As networker mentioned, sometimes they move the end user from one location to another, so you end up extending the VLAN to that new location.

    In some organizations, this happens quite often. :)

    Ideally, you wouldn't want to do this, but the accounting VLAN gets special access or something, and it may be an easier solution to extend the VLAN to his new location, than rewrite ACLs.

    If you read the design books, Cisco will say that they'd prefer that a VLAN stay in a single switch closet, but then they tell you that it's not often like that in the field. :D

    Hope this helps.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • EdTheLadEdTheLad Posts: 2,112Member ■■■■□□□□□□
    _Gonzalo_ wrote: »


    D1-D2
    | X |
    A1 A2

    Let´s say that all hosts on VLAN 1 are connected to A1. D1 is the HSRP active and STP root. In this case, we´ll have all D1 links as designated, and the remaining D2 links in blocking state, so the resulting STP topology would be:

    D1-D2
    | \
    A1 A2


    If link D1-A1 goes down, STP recalculates and D2-A1 will go designated. But as no track is configured, HSRP active router will still be D1, as:

    D1-D2
    . X
    A1 A2


    Looking at your ideal world scenario, where all hosts in vlan 1 are on A1, we don't need the link between D1 and D2 to be forwarding. The best design would be to modify the STP costs so that D1-A1 and D1-A2 are forwarding for vlan 1. The hsrp hello for vlan 1 between D1 and D2 would go via A1, so if there was a failure on one of the access links, both D1 and D2 go active and hence whichever has the access link up will become the gateway.
    You obviously wouldn't do this is there was vlan 1 hosts on other switches, but we are talking about a perfect world here icon_smile.gif.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • _Gonzalo__Gonzalo_ Posts: 113Member
    gorebrush wrote: »
    enhanced object tracking.......

    OK. So I´ll take that "best solution" as ironic then, as I understand that HSRP is what is worthless to you. :)
    By the way, I also missed your upcoming CCIE lab exam. Best of luck to you!!
    instant000 wrote: »
    Hope this helps.

    It really does help. It is my intention to, eventually, get the Design path. But even if I still have plenty to decide in my path to CCIE, I´d say it´s more likely for me to start somewhere else (there is so much I NEED to know! :) ), and get my Design certificates a little further up the road.

    I really appreciate all of you guys spending your time to share your knowledge. You all have been truly helpful!!
    Cheers!
  • _Gonzalo__Gonzalo_ Posts: 113Member
    EdTheLad wrote: »
    Looking at your ideal world scenario, where all hosts in vlan 1 are on A1, we don't need the link between D1 and D2 to be forwarding. The best design would be to modify the STP costs so that D1-A1 and D1-A2 are forwarding for vlan 1. The hsrp hello for vlan 1 between D1 and D2 would go via A1, so if there was a failure on one of the access links, both D1 and D2 go active and hence whichever has the access link up will become the gateway.

    This conflicts with what I know, and partially with what networker050184 said. According to what I know, if D1 is the STP root, all ports have to be designated and your solution could not be applied. Therefore, I understand that you would have A1 and A2 as primary and secondary STP roots. The topology would be a little messy, as:

    D1 D2
    | / |
    A1 A2

    After a failure, it would go:

    D1 D2
    | / |
    A1 A2

    or

    D1 D2
    . X |
    A1 A2

    None of these scenarios would provide the circumstances for both HSRP routers to go active (I never thought it possible to have 2 active HSRP routers, but it´s an interesting thought). I am also unsure of the impact regarding L3 paths: after all, you would have two different directions to get you to two different physical "places" that are the exact same network.

    Also, and maybe I´m missing something again, I believe that networker050184 idea of having distribution not depending on access is the way to go.
  • EdTheLadEdTheLad Posts: 2,112Member ■■■■□□□□□□
    _Gonzalo_ wrote: »
    According to what I know, if D1 is the STP root, all ports have to be designated and your solution could not be applied. Therefore, I understand that you would have A1 and A2 as primary and secondary STP roots. The topology would be a little messy, as:

    The STP root will have all it's ports a designated forwarding, any switch connected directly or indirectly will examine it's received bpdu's to see which port has the lowest cost and will be come the root port.

    D1-D2 cost 100
    D1-A1 cost 10
    D2-A1 cost 10

    D2 receives 2 bpdu's, one from D1 with cost 100, one from A1 with cost 20, 20 is lower, port connected to A1 is the root port, port connected to D1 is blocked.
    Since vlan 1 is only on A1, we do not need to think about A2, A2 has another vlan, lets say vlan2. D1 and D2 have 2 hsrp groups, one for vlan 1 and another for vlan 2. They are completely independent.

    Another interesting thing to look at in this design is, imagine you enabled an igp between D1 and D2 via A1. With icmp redirect enabled, you could have the host bypass the hrsp gateway and send to the best next hop per destination.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • _Gonzalo__Gonzalo_ Posts: 113Member
    EdTheLad wrote: »
    The STP root will have all it's ports a designated forwarding, any switch connected directly or indirectly will examine it's received bpdu's to see which port has the lowest cost and will be come the root port.

    D1-D2 cost 100
    D1-A1 cost 10
    D2-A1 cost 10

    D2 receives 2 bpdu's, one from D1 with cost 100, one from A1 with cost 20, 20 is lower, port connected to A1 is the root port, port connected to D1 is blocked.

    Wow! Now I get what you mean. But, wouldn´t we be in the same situation I described? D1 and D2 would still be L2 neighbors.
    EdTheLad wrote: »
    Another interesting thing to look at in this design is, imagine you enabled an igp between D1 and D2 via A1. With icmp redirect enabled, you could have the host bypass the hrsp gateway and send to the best next hop per destination.

    WOW!!!

    10:33:00: %BRAIN-1-OVER: Brain usage 100%
    10:33:01: %BRAIN-0-DOWN: .........

    What? Where? Who? You lost me here...
    :)
  • EdTheLadEdTheLad Posts: 2,112Member ■■■■□□□□□□
    _Gonzalo_ wrote: »
    Wow! Now I get what you mean. But, wouldn´t we be in the same situation I described? D1 and D2 would still be L2 neighbors.
    True, call that an oversight icon_smile.gif . But with this scenario we don't even need that link between D1 and D2, so you could prune vlan 1 off it!
    So we go back to the original design with the link between D1 and D2 as forwarding, enable an igp across this link with a low cost and have icmp redirects enabled. Now when the link between A1 and D1 fails, traffic will go via D2 to D1. If D1 see's a better route to the destination via D2 it will send an icmp redirect to the hosts to bypass the hsrp ip and use D2 as the default gateway even though D2 is the standby router in the hsrp group.
    Cisco Doc wrote:
    Extending the relationship between ICMP redirects and HSRP provides a solution to this problem, allowing you to take advantage of the benefits of both HSRP and ICMP redirects. Two (or more) HSRP groups are run on each subnet, with at least as many HSRP groups configured as there are routers participating. The priorities are configured so that each of the routers is master of at least one HSRP group. When one router determines to redirect an endstation to a different router for a specific destination, then instead of redirecting the endstation to that other router's IP address, it finds an HSRP group that is being mastered by that router, and redirects the endstation to the corresponding virtual IP address. If that target router then fails, HSRP ensures that another router takes over its job and, perhaps, redirects the endstation to yet another, again virtual, router.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • _Gonzalo__Gonzalo_ Posts: 113Member
    EdTheLad wrote: »
    True, call that an oversight icon_smile.gif .

    :) Happens to the best of us!
    EdTheLad wrote: »
    But with this scenario we don't even need that link between D1 and D2, so you could prune vlan 1 off it!

    Wouldn´t that mess things up, as we could end up having a L2 forwarding link unable to forward traffic?
    EdTheLad wrote: »
    So we go back to the original design with the link between D1 and D2 as forwarding, enable an igp across this link with a low cost and have icmp redirects enabled. Now when the link between A1 and D1 fails, traffic will go via D2 to D1. If D1 see's a better route to the destination via D2 it will send an icmp redirect to the hosts to bypass the hsrp ip and use D2 as the default gateway even though D2 is the standby router in the hsrp group.

    I had to look that ICMP redirect up, hehehe...
    But now, if I wanted to have an IGP across D1-D2 link, that would remove this link from STP. That means that L2 topology would be:

    D1 D2
    | X |
    A1 A2

    In this case, we would still have this, whenever D1-A1 fails:

    D1 D2
    . X |
    A1 A2

    And therefore, path from A1 to VLAN 1 gateway would be, initially, A1-D2-A2-D1. D1 and D2 have equal costs to Core layer, so D1 would not see D2 as having a better route to any destination. Is it correct to assume that ICMP redirect would not be possible here either? Unless ICMP redirect takes in consideration the path from the host, which I believe it doesn´t (for what I just read)
  • _Gonzalo__Gonzalo_ Posts: 113Member
    EdTheLad wrote: »
    quote_icon.png Originally Posted by Cisco Doc
    Extending the relationship between ICMP redirects and HSRP provides a solution to this problem, allowing you to take advantage of the benefits of both HSRP and ICMP redirects. Two (or more) HSRP groups are run on each subnet, with at least as many HSRP groups configured as there are routers participating. The priorities are configured so that each of the routers is master of at least one HSRP group. When one router determines to redirect an endstation to a different router for a specific destination, then instead of redirecting the endstation to that other router's IP address, it finds an HSRP group that is being mastered by that router, and redirects the endstation to the corresponding virtual IP address. If that target router then fails, HSRP ensures that another router takes over its job and, perhaps, redirects the endstation to yet another, again virtual, router.

    I did not even know that you could have multiple HSRP groups per subnet!!! I´ll have to check out how configuration goes for that.
  • EdTheLadEdTheLad Posts: 2,112Member ■■■■□□□□□□
    _Gonzalo_ wrote: »

    Wouldn´t that mess things up, as we could end up having a L2 forwarding link unable to forward traffic?
    How? Hosts on vlan 1 would have a link to D1 and D2, hsrp hello's would go via A1, hosts would have gateway to active.

    Link between A1-D1 fails, hsrp hello broken, both routers become active, hosts have a path to D2. D1 stops advertising the the route as local interface is down. Both forward and return path are good.
    Link between A1-D2 fails path via D1, same story as before.
    _Gonzalo_ wrote: »
    But now, if I wanted to have an IGP across D1-D2 link, that would remove this link from STP. That means that L2 topology would be:
    D1-D2 link is a trunk port, with vlan 1 allowed, SV1 for vlan 1 is configured on D1 and D2,
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • _Gonzalo__Gonzalo_ Posts: 113Member
    EdTheLad wrote: »
    How? Hosts on vlan 1 would have a link to D1 and D2, hsrp hello's would go via A1, hosts would have gateway to active.

    Well, not right away. That´s why I said could end up. I meant that as soon as any other link fails, we´d be there.
    EdTheLad wrote: »
    Link between A1-D1 fails, hsrp hello broken, both routers become active, hosts have a path to D2. D1 stops advertising the the route as local interface is down. Both forward and return path are good.
    Link between A1-D2 fails path via D1, same story as before.

    I see your point. But you are not taking A2 in consideration. That would work if A2 was not there, but it would not if it is, as we´d be back to D1 and D2 being L2 neighbors, so it´s the same case:

    D1 D2
    . X |
    A1 A2

    It´s a nice theory, nonetheless.
    EdTheLad wrote: »
    D1-D2 link is a trunk port, with vlan 1 allowed, SV1 for vlan 1 is configured on D1 and D2,

    I believe that you intended to write something after that comma. Looking forward to reading it! :)
  • EdTheLadEdTheLad Posts: 2,112Member ■■■■□□□□□□
    _Gonzalo_ wrote: »
    I see your point. But you are not taking A2 in consideration. That would work if A2 was not there, but it would not if it is, as we´d be back to D1 and D2 being L2 neighbors, so it´s the same case:

    Still as per the ideal world scenario, A2 has vlan 2 only. Vlan 2 is in a separate hsrp group, A2 has its both uplinks to D1 and D2. Hosts on vlan 2 hanging off A2 will have a GW pointing to the active hsrp group. Uplink fails same behavior as vlan 1. A1 and A2 are completely isolated from each other, they are running on different vlans. Both D1 and D2 have 2 SVI's, the trunk between D1 and D2 allows vlan 1 and 2.

    Of course there would be some traffic loss, but your gonna have some under any failure scenario.

    Anyway, it's all just fantasy, vlan's are generally dispersed.

    , = . icon_smile.gif
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • _Gonzalo__Gonzalo_ Posts: 113Member
    EdTheLad wrote: »
    Still as per the ideal world scenario, A2 has vlan 2 only. Vlan 2 is in a separate hsrp group, A2 has its both uplinks to D1 and D2. Hosts on vlan 2 hanging off A2 will have a GW pointing to the active hsrp group. Uplink fails same behavior as vlan 1. A1 and A2 are completely isolated from each other, they are running on different vlans. Both D1 and D2 have 2 SVI's, the trunk between D1 and D2 allows vlan 1 and 2.

    I did not mean that. I meant that A2 would still be there for the partial VLAN 1 STP topology.

    It´s clear that that VLAN 2 would mirror VLAN 1 exactly (perfect-worlding wise) so I´d rather leave VLAN 2 out of the example, for simplicity´s sake.
    EdTheLad wrote: »
    Anyway, it's all just fantasy, vlan's are generally dispersed.

    It is, but interesting all the same!
    EdTheLad wrote: »
    , = . icon_smile.gif

    :)

    So, if it wasn´t a comma:
    "D1-D2 link is a trunk port, with vlan 1 allowed, SV1 for vlan 1 is configured on D1 and D2"

    I don´t see how this qualifies as having and "igp across this link" (D1-D2)
    Either both interfaces have IP and then you include them on igp operation or they do not, including them on STP operation.

    In case I´m not making any sense at some point ;) please bear in mind that I began studying networks from scratch just a few months back. I might have some basics missing!
  • EdTheLadEdTheLad Posts: 2,112Member ■■■■□□□□□□
    _Gonzalo_ wrote: »
    I did not mean that. I meant that A2 would still be there for the partial VLAN 1 STP topology.
    I just following your ideal world scenario, A1 is the only switch with vlan 1, A2 does not have vlan 1 and hence does not run spanning-tree on vlan 1, so it has no affect on STP for A1, A2 is running its own instance of STP for vlan 2.

    _Gonzalo_ wrote: »
    "D1-D2 link is a trunk port, with vlan 1 allowed, SV1 for vlan 1 is configured on D1 and D2"

    I don´t see how this qualifies as having and "igp across this link" (D1-D2)
    Either both interfaces have IP and then you include them on igp operation or they do not, including them on STP operation.

    Both D1 and D2 have SVI for vlan 1.
    SVI switched virtual interface
    i.e.
    config on D1

    int fa0/0
    switchport
    switchport mode trunk
    switchport allowed vlans 1,2
    !
    vlan 1
    !
    int vlan 1
    ip address 10.0.0.1
    ip ospf 1 area 0

    As you can see in the config above, the switch has a port in vlan 1 which will participate in STP. It has a layer 3 svi associated with the vlan where you enable the igp. I think you need to go back and study the basics to get a good foundation before you go down the design path.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • _Gonzalo__Gonzalo_ Posts: 113Member
    EdTheLad wrote: »
    I just following your ideal world scenario, A1 is the only switch with vlan 1, A2 does not have vlan 1 and hence does not run spanning-tree on vlan 1, so it has no affect on STP for A1, A2 is running its own instance of STP for vlan 2.

    How do you do that? As far as I know, as you are running PVSTP any VLAN configured will have its instance...
    Are you suggesting for me to have different vlans created in both A1 and A2 switches? Is this more real life stuff that goes against theoretical ideas?
    EdTheLad wrote: »
    As you can see in the config above, the switch has a port in vlan 1 which will participate in STP. It has a layer 3 svi associated with the vlan where you enable the igp. I think you need to go back and study the basics to get a good foundation before you go down the design path.

    :)

    No need for this case, some basics I know. Even having started recently I already have my CCNP, passed with all consistency. Even if I had had to cruise the switching part (because I knew most of it and other reasons) I assure you I have mastered CCNP.

    That´s what I call cheating! You are not including D1-D2 link on IGP operation, you are including VLAN interface!
  • EdTheLadEdTheLad Posts: 2,112Member ■■■■□□□□□□
    _Gonzalo_ wrote: »
    Let´s say that all hosts on VLAN 1 are connected to A1.

    I just followed your design description, if all host belonging to vlan 1 are on A1, why would i have vlan 1 on A2? There would be no point ?
    Anyway, i'm done here icon_smile.gif ... laters!
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • _Gonzalo__Gonzalo_ Posts: 113Member
    EdTheLad wrote: »
    I just followed your design description, if all host belonging to vlan 1 are on A1, why would i have vlan 1 on A2? There would be no point ?

    Well, I have been told a number of times that all VLANs must be created in all switches, even if they have no access port assigned to them... But I just realized that I was never told why.

    Maybe I´m assuming premises that are not applicable to real life again. I´ll check that out too.
    Thanks!
  • Lucas21Lucas21 Posts: 46Member ■■□□□□□□□□
    Are you sure you're CCNP R&S certified? I hope you mean that you are studying to be and not already certified. Because if you are a CCNP and don't know simple STP and vlan fundamentals, there's something wrong with your study methods.

    In my opinion, you should go over whatever notes you took for SWITCH to remind yourself of L2 basics. Alternatively, you can get a book covering L2 topics. Another option is Cisco Technology section of DocCD.
  • _Gonzalo__Gonzalo_ Posts: 113Member
    Lucas21 wrote: »
    Are you sure you're CCNP R&S certified? I hope you mean that you are studying to be and not already certified. Because if you are a CCNP and don't know simple STP and vlan fundamentals, there's something wrong with your study methods.

    Hehehe

    I am. I could have cisco email you my certification details using the tool in Certification Tracking System if you wish.

    Well, I have done a CCNA course (200h hours), then a CCNP course (250h) plus earning great feedback from all three teachers I had, who have been working in this area for at least a decade. They actually were the ones that encouraged me the most to pursue CCIE. I have also given some classes myself, in order to help a few of my classmates get their certificates. Add to that countless hours practicing with Packet Tracert until it begged for mercy (crashed every time I tried to configure something a little complex), then switched to GNS3, and now I´m about to start with other simulation software. All of this within 6 months, except for 5-6 weeks of forced holidays. I don´t believe theory is my weak point, but lack of real experience.

    Anyway, everyone is entitled to have an opinion, so I respect yours.
  • Lucas21Lucas21 Posts: 46Member ■■□□□□□□□□
    No need for Cisco verification; I believe you. Sorry if I came across as disrespectful.

    Just do more labs to get practical experience if you have strong grasp of the theory. There are some really good labs on gns3vault.com for example. But GNS3 doesn't have good support for L2 so maybe try Free Cisco Catalyst Switch Lab for the L2 labs.
  • _Gonzalo__Gonzalo_ Posts: 113Member
    Lucas21 wrote: »
    No need for Cisco verification; I believe you. Sorry if I came across as disrespectful.

    :)

    I´ll admit it bothered me a little, but it´s no big deal. We´re cool.

    About GNS3, it´s true that there were no switches in previous versions, but for what I´ve been told, I understand that the new version is much better and does have full L2 sims. As for today, I haven´t had the time to install it and check it out.

    I will check those links, thanks for them!
  • _Gonzalo__Gonzalo_ Posts: 113Member
    Guys, I really thank to you all for pointing me out in the right direction. I hope every time I post I´ll be able to learn as much as I did with this!!

    I´ll proceed to answer my question:
    It is NO. ICMP redirects and multiple HSRP groups per subnet and interface will take care of that. For those that are reading this and have shared my doubts, I´ll start with config proposed by cisco and go on from there:

    Device1(config)# interface GigabitEthernet 0/0/0
    Device1(config-if)# ip address 10.0.0.10 255.0.0.0
    Device1(config-if)# standby redirect
    Device1(config-if)# standby 1 priority 120
    Device1(config-if)# standby 1 preempt delay minimum 20
    Device1(config-if)# standby 1 ip 10.0.0.1
    Device1(config-if)# standby 2 priority 105
    Device1(config-if)# standby 2 preempt delay minimum 20
    Device1(config-if)# standby 2 ip 10.0.0.2

    Configuration—Standby for Group 1 and Active for Group 2


    Device(config)# interface GigabitEthernet 0/0/0
    Device(config-if)# ip address 10.0.0.11 255.0.0.0
    Device(config-if)# standby redirect
    Device(config-if)# standby 1 priority 105
    Device(config-if)# standby 1 preempt delay minimum 20
    Device(config-if)# standby 1 ip 10.0.0.1
    Device(config-if)# standby 2 priority 120
    Device(config-if)# standby 2 preempt delay minimum 20
    Device(config-if)# standby 2 ip 10.0.0.2

    So this way, we would have 2 active HSRP routers per subnet while only having one per group. ICMP redirect would take care of choosing the right gateway if any L2 topology issue happened (as the ones we talked about previously) One more interesting thing is that it is mandatory to have a second HSRP group, as passive HSRP device are not allowed for ICMP redirect to be chosen as next hop.

    All this seems perfect, at first sight. Only one little detail still bothers me. As per Cisco ICMP doc:

    Cisco routers send ICMP redirects when all of these conditions are met:

    • The interface on which the packet comes into the router is the same interface on which the packet gets routed out.
    • The subnet or network of the source IP address is on the same subnet or network of the next-hop IP address of the routed packet.
    • The datagram is not source-routed.
    • The kernel is configured to send redirects. (By default, Cisco routers send ICMP redirects. The interface subcommand no ip redirects can be used to disable ICMP redirects.)

    I understand that this SHOULD work. So, as per the first condition, is it correct to assume that datagrams are considered to enter and exit Device1's SVI, or does ICMP redirect has a special behaviour when interacting with HSRP?

    Sources:

    http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-hsrp-icmp.html

    http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13714-43.html
  • EdTheLadEdTheLad Posts: 2,112Member ■■■■□□□□□□
    _Gonzalo_ wrote: »
    I understand that this SHOULD work. So, as per the first condition, is it correct to assume that datagrams are considered to enter and exit Device1's SVI, or does ICMP redirect has a special behaviour when interacting with HSRP?

    This is why i told you you need to have an IGP running over the SVI, a redirect is only sent if the adjacent l3 switch has a better route to the destination, that path would be via the SVI interface towards the adjacent l3 switch. Originally you were concerned about the layer 2 traffic taking an extra hop, but it's more important to look at the end to end path cost. No point saving one layer 2 hop but adding 10 extra layer 3 hops. ICMP redirect will point your hosts too the gateway that has the lowest layer 3 cost to the destination.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • _Gonzalo__Gonzalo_ Posts: 113Member
    EdTheLad wrote: »
    This is why i told you you need to have an IGP running over the SVI, a redirect is only sent if the adjacent l3 switch has a better route to the destination, that path would be via the SVI interface towards the adjacent l3 switch.

    It´s not that I doubt about your knowledge, and of course it is way more important to have even one less L3 hop than one less L2 hop. But, as it says in the second link I posted:

    "ICMP redirect messages are used by routers to notify the hosts on the data link that a better route is available for a particular destination."

    I might be misunderstanding this sentence, but I thought that the path ICMP redirect looked was the L2 path to gateway, not L3 from gateway. After all, routing will already take care of that path, wouldn´t it?

    I´ll also want to add that, assuming the original perfect world topology with only 1 HSRP group per SVI, this would not be possible, and my patch (no other way to call it :) ) of tracking the access link would be what actually works.
Sign In or Register to comment.