Can you spot a problem with HSRP Configuration?

daniel280187

Hi,

This is a Troubleshooting question, I am trying to setup HSRP for my DISTR1 switch to deal with packets from VLAN 10-20-30-40 and my DISTR2 switch to handle packets from VLAN 50-60-70-80.




The problem is that after setting up HSRP, the Active Virtual MAC Add given doesn't match the Local Virtual Address of the my Active switch so when my host in the VLAN 30 (IP 172.16.48.2 /30) tries to ping VLAN 60 host (IP 172.16.96.3 /30) the Destination Mac Address linked to its Default Gateway (IP 172.16.48.1/30) is 0000.0C9F.0000 causing the packet not be routed by my L3 Switch and ultimately not being able to reach its destination.


What I think it needs to happen for the packet to be routed by my DISTR1 to its destination is that the Active Virtual MAC Address matches the Local Virtual Mac Address of my switch (See "Show Standby" command)


Next some show commands to help you spot any problem

DISTR1#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl1 10 120 P Active local 172.16.16.20 172.16.16.1
Vl2 20 120 P Active local 172.16.32.20 172.16.32.1
Vl3 30 120 P Active local 172.16.48.20 172.16.48.1
Vl4 40 120 P Active local 172.16.64.20 172.16.64.1
Vl5 50 100 Standby 172.16.80.20 local 172.16.80.1
Vl6 60 100 Standby 172.16.96.20 local 172.16.96.1
Vl7 70 100 Standby 172.16.112.20 local 172.16.112.1
Vl8 80 100 Standby 172.16.128.20 local 172.16.128.1



Vlan60 - Group 60 (version 2)
State is Active
4 state changes, last state change 01:10:37
Virtual IP address is 172.16.96.1
Active virtual MAC address is 0000.0C9F.0000
Local virtual MAC address is 0000.0C9F.F03C (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.372 secs
Preemption enabled
Active router is local
Standby router is 172.16.96.10
Priority 120 (configured 120)
Group name is hsrp-Vl6-60 (default)

DISTR1#sh standby |
Vlan40 - Group 40 (version 2)
State is Active
3 state changes, last state change 01:15:22
Virtual IP address is 172.16.64.1
Active virtual MAC address is 0000.0C9F.0000
Local virtual MAC address is 0000.0C9F.F028 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.205 secs
Preemption enabled
Active router is local
Standby router is 172.16.64.20, priority 120 (expires in 9 sec)
Priority 120 (configured 120)
Group name is hsrp-Vl4-40 (default)


Active virtual MAC address is 0000.0C9F.0000
Local virtual MAC address is 0000.0C9F.F00A (v2 default)



DISTR2#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl1 10 100 Standby 172.16.16.10 local 172.16.16.1
Vl2 20 100 Standby 172.16.32.10 local 172.16.32.1
Vl3 30 100 Standby 172.16.48.10 local 172.16.48.1
Vl4 40 100 Standby 172.16.64.10 local 172.16.64.1
Vl5 50 120 P Active local 172.16.80.10 172.16.80.1
Vl6 60 120 P Active local 172.16.96.10 172.16.96.1
Vl7 70 120 P Active local 172.16.112.10 172.16.112.1
Vl8 80 120 P Active local 172.16.128.10 172.16.128.1


DISTR2#sh standby

Vlan60 - Group 60 (version 2)
State is Active
4 state changes, last state change 01:10:37
Virtual IP address is 172.16.96.1
Active virtual MAC address is 0000.0C9F.0000
Local virtual MAC address is 0000.0C9F.F03C (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.372 secs
Preemption enabled
Active router is local
Standby router is 172.16.96.10
Priority 120 (configured 120)
Group name is hsrp-Vl6-60 (default)


Please let me know if you can see any problem with this configuration or if you need any other output to troubleshoot this scenario.

Thank in advance for you help guys.

Hondabuff

Why are the access layer switches connected to each other? The primary switch then needs all the VLANS set as "primary root" and the back up switch as "secondary" unless your load balancing. Also turn your link lights on so you can see what you are doing. Another suggestion would be to assign your VLAN numbers to something logical. Such as "VLAN 10= 172.16.10.1" and VLAN 20= 172.16.20.1

daniel280187

Hondabuff wrote: »

Why are the access layer switches connected to each other? The primary switch then needs all the VLANS set as "primary root" and the back up switch as "secondary" unless your load balancing. Also turn your link lights on so you can see what you are doing. Another suggestion would be to assign your VLAN numbers to something logical. Such as "VLAN 10= 172.16.10.1" and VLAN 20= 172.16.20.1

Thanks for your answer Hondabuff.

Yes, actually that is how they are set up with load balance.

DISTR1 is Primary for VLANs 10-20-30-40 and Secondary for 50-60-70-80
DISTR2 is Primary for VLANs 50-60-70-80 and Secondary for 10-20-30-40


There is no need to connect the switches in the access layer, this was done to practice STP for a specific design I had in mind that's it, that is why the quantity of links and the fully redundant design.

I usually turn off link's lights since it results more challenging to me this way to troubleshoot. Anyway, this is the picture with the lights:

[FONT=&quot][/FONT]


IP Addressing



VLAN
Virtual GW Ips
DISTR1 VLAN XX IP
DISTR2 VLAN XX IP
Last IP


Vlan 10
172.16.16.1
172.16.16.10
172.16.16.20
172.16.15.254


Vlan 20
172.16.32.1
172.16.32.10
172.16.32.20
172.16.31.254


Vlan 30
172.16.48.1
172.16.48.10
172.16.48.20
172.16.47.254


Vlan 40
172.16.64.1
172.16.64.10
172.16.64.20
172.16.63.254


Vlan 50
172.16.80.1
172.16.80.10
172.16.80.20
172.16.79.254


Vlan 60
172.16.96.1
172.16.96.10
172.16.96.20
172.16.95.254


Vlan 70
172.16.112.1
172.16.112.10
172.16.112.20
172.16.111.254


Vlan 80
172.16.128.1
172.16.128.10
172.16.128.20
172.16.127.254




Thanks for the suggestion, will try it next time.

Let me know if you can identify any problem with the configuration for HSRP.

Hondabuff

With limited visibility, you will have to post the running config from both dist switches. Also do a show arp. I did find a bug in packet tracer when the HSRP fails over to standy and the prioritys are gapped more then 10, it does not work. I set them to 105 and default 100.

daniel280187

Hondabuff wrote: »

With limited visibility, you will have to post the running config from both dist switches. Also do a show arp. I did find a bug in packet tracer when the HSRP fails over to standy and the prioritys are gapped more then 10, it does not work. I set them to 105 and default 100.

I followed your suggestion to reduce the gap between the priorities and changed to 105 for the Active switches.

I will send you the show arp in the switches and the PC as well so you can confirm that the MAC in the PC which is associated is not the one that belongs to the Default Gateway (Local virtual MAC address is 0000.0C9F.F028).

DISTR1 SWITCH

DISTR1#show running-config
Building configuration...


Current configuration : 3742 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname DISTR1
!
!
enable secret 5 $1$mERr$LKL8mY9J4qVV5ykrCe82x1
!
!
ip routing
!


version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname DISTR1
!
!
!
enable secret 5 $1$mERr$LKL8mY9J4qVV5ykrCe82x1
!
!
ip routing
!
!
no ip domain-lookup
!
!
port-channel load-balance src-dst-ip
spanning-tree mode pvst
spanning-tree vlan 10,20,30,40 priority 16384
spanning-tree vlan 50,60,70,80 priority 28672
!
!
interface FastEthernet0/1
switchport mode access
shutdown
!
interface FastEthernet0/2
switchport mode access
shutdown

no ip domain-lookup
!
!
port-channel load-balance src-dst-ip
spanning-tree mode pvst
spanning-tree vlan 10,20,30,40 priority 16384
spanning-tree vlan 50,60,70,80 priority 28672
!
!
!
!
interface FastEthernet0/1
switchport mode access
shutdown
!
interface FastEthernet0/2
switchport mode access
shutdown
!
interface FastEthernet0/3
switchport mode access
shutdown
!
interface FastEthernet0/4
switchport mode access
shutdown
!
interface FastEthernet0/5
switchport mode access
shutdown
!
interface FastEthernet0/6
switchport mode access
shutdown
!
interface FastEthernet0/7
switchport mode access
shutdown
!
interface FastEthernet0/8

shutdown
!
interface FastEthernet0/4
switchport mode access
shutdown
!
interface FastEthernet0/5
switchport mode access
shutdown
!
interface FastEthernet0/6
switchport mode access
shutdown
!
interface FastEthernet0/7
switchport mode access
shutdown
!
interface FastEthernet0/8
switchport mode access
shutdown
!
interface FastEthernet0/9
switchport mode access
shutdown
!
interface FastEthernet0/10
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/11
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/12
switchport mode access
shutdown
!
interface FastEthernet0/13
switchport mode access
shutdown
interface FastEthernet0/14
switchport mode access
shutdown
!
interface FastEthernet0/15
switchport mode access
shutdown
!
interface FastEthernet0/16
switchport mode access
shutdown
!
interface FastEthernet0/17
switchport mode access
shutdown
!
interface FastEthernet0/18
switchport mode access
shutdown
!
interface FastEthernet0/19
switchport mode access
shutdown
!
interface FastEthernet0/20
switchport mode access
shutdown
!
interface FastEthernet0/21
channel-group 1 mode desirable
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
!
interface FastEthernet0/22
channel-group 1 mode desirable
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
!
interface FastEthernet0/23
channel-group 1 mode desirable
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
!
interface FastEthernet0/24
channel-group 1 mode desirable
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 172.16.16.10 255.255.240.0
standby version 2
standby 10 ip 172.16.16.1
standby 10 priority 105
standby 10 preempt
!
interface Vlan20
ip address 172.16.32.10 255.255.240.0
standby version 2
standby 20 ip 172.16.32.1
standby 20 priority 105
standby 20 preempt
!
interface Vlan30
ip address 172.16.48.10 255.255.240.0
standby version 2
standby 30 ip 172.16.48.1
standby 30 priority 105
standby 30 preempt
!
interface Vlan40
ip address 172.16.64.10 255.255.240.0
standby version 2
standby 40 ip 172.16.64.1
standby 40 priority 105
standby 40 preempt
!
interface Vlan50
ip address 172.16.80.10 255.255.240.0
standby version 2
standby 50 ip 172.16.80.1
!
interface Vlan60
ip address 172.16.96.10 255.255.240.0
standby version 2
standby 60 ip 172.16.96.1
!
interface Vlan70
ip address 172.16.112.10 255.255.240.0
standby version 2
standby 70 ip 172.16.112.1
!
interface Vlan80
ip address 172.16.128.10 255.255.240.0
standby version 2
standby 80 ip 172.16.128.1
!
ip classless
!
!
line con 0
exec-timeout 0 0
password 7 0822455D0A16
logging synchronous
login
!
line aux 0
!
line vty 0 4
password 7 0829594F1E1C0C
login
line vty 5 15
password 7 0829594F1E1C0C
login
!
!
end






MAC ADDRESSES
0001.63BE.AB37

---

> DISTR1
0060.2F10.8C06

---

> DISTR2


DISTR1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.16.2 10 0060.7002.E030 ARPA Vlan10
Internet 172.16.16.10 - 0001.63BE.AB37 ARPA Vlan10
Internet 172.16.16.20 12 0060.2F10.8C06 ARPA Vlan10
Internet 172.16.32.10 - 0001.63BE.AB37 ARPA Vlan20
Internet 172.16.32.20 6 0060.2F10.8C06 ARPA Vlan20
Internet 172.16.48.10 - 0001.63BE.AB37 ARPA Vlan30
Internet 172.16.64.10 - 0001.63BE.AB37 ARPA Vlan40
Internet 172.16.80.10 - 0001.63BE.AB37 ARPA Vlan50
Internet 172.16.96.10 - 0001.63BE.AB37 ARPA Vlan60
Internet 172.16.112.10 - 0001.63BE.AB37 ARPA Vlan70
Internet 172.16.128.10 - 0001.63BE.AB37 ARPA Vlan80



DISTR2 SWITCH

DISTR2#show running-config
Building configuration...


Current configuration : 3749 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname DISTR2
!
enable secret 5 $1$mERr$LKL8mY9J4qVV5ykrCe82x1
!
!
ip routing
!
!
no ip domain-lookup
!
!
port-channel load-balance src-dst-ip
spanning-tree mode pvst
spanning-tree vlan 50,60,70,80 priority 24576
spanning-tree vlan 10,20,30,40 priority 28672
!
!
interface FastEthernet0/1
switchport mode access
shutdown
!
interface FastEthernet0/2
switchport mode access
shutdown
!
interface FastEthernet0/3
switchport mode access
shutdown
!
interface FastEthernet0/4
switchport mode access
shutdown
!
interface FastEthernet0/5
switchport mode access
shutdown
!
interface FastEthernet0/6
switchport mode access
shutdown
!
interface FastEthernet0/7
switchport mode access
shutdown
!
interface FastEthernet0/8
switchport mode access
shutdown
!
interface FastEthernet0/9
switchport mode access
shutdown
!
interface FastEthernet0/10
switchport mode access
shutdown
!
interface FastEthernet0/11
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/12
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/14
switchport mode access
shutdown
!
interface FastEthernet0/15
switchport mode access
shutdown
!
interface FastEthernet0/16
switchport mode access
shutdown
!
interface FastEthernet0/17
switchport mode access
shutdown
!
interface FastEthernet0/18
switchport mode access
shutdown
!
interface FastEthernet0/19
switchport mode access
shutdown
!
interface FastEthernet0/20
switchport mode access
shutdown
!
interface FastEthernet0/21
channel-group 1 mode auto
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
!
interface FastEthernet0/22
channel-group 1 mode auto
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
!
interface FastEthernet0/23
channel-group 1 mode auto
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
!
interface FastEthernet0/24
channel-group 1 mode auto
switchport trunk encapsulation dot1q
switchport mode trunk
duplex full
speed 100
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 172.16.16.20 255.255.240.0
standby version 2
standby 10 ip 172.16.16.1
!
interface Vlan20
ip address 172.16.32.20 255.255.240.0
standby version 2
standby 20 ip 172.16.32.1
!
interface Vlan30
ip address 172.16.48.20 255.255.240.0
standby version 2
standby 30 ip 172.16.48.1
!
interface Vlan40
ip address 172.16.64.20 255.255.240.0
standby version 2
standby 40 ip 172.16.64.1
!
interface Vlan50
ip address 172.16.80.20 255.255.240.0
standby version 2
standby 50 ip 172.16.80.1
standby 50 priority 105
standby 50 preempt
!
interface Vlan60
ip address 172.16.96.20 255.255.240.0
standby version 2
standby 60 ip 172.16.96.1
standby 60 priority 105
standby 60 preempt
!
interface Vlan70
ip address 172.16.112.20 255.255.240.0
standby version 2
standby 70 ip 172.16.112.1
standby 70 priority 105
standby 70 preempt
!
interface Vlan80
ip address 172.16.128.20 255.255.240.0
standby version 2
standby 80 ip 172.16.128.1
standby 80 priority 105
standby 80 preempt
!
ip classless
!
!


line con 0
exec-timeout 0 0
password 7 0822455D0A16
logging synchronous
login
!
line aux 0
!
line vty 0 4
password 7 0829594F1E1C0C
login
line vty 5 15
password 7 0829594F1E1C0C
login
!
!
end
DISTR2#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.16.1 19 0000.0C9F.0000 ARPA Vlan10
Internet 172.16.16.20 - 0060.2F10.8C06 ARPA Vlan10
Internet 172.16.32.10 14 0001.63BE.AB37 ARPA Vlan20
Internet 172.16.32.20 - 0060.2F10.8C06 ARPA Vlan20
Internet 172.16.48.20 - 0060.2F10.8C06 ARPA Vlan30
Internet 172.16.64.2 1 00D0.9798.8153 ARPA Vlan40
Internet 172.16.64.20 - 0060.2F10.8C06 ARPA Vlan40
Internet 172.16.80.20 - 0060.2F10.8C06 ARPA Vlan50
Internet 172.16.96.20 - 0060.2F10.8C06 ARPA Vlan60
Internet 172.16.112.20 - 0060.2F10.8C06 ARPA Vlan70
Internet 172.16.128.20 - 0060.2F10.8C06 ARPA Vlan80


PC on VLAN 30


PC>ping 172.16.48.1


Pinging 172.16.48.1 with 32 bytes of data:


Request timed out.
Request timed out.
Request timed out.
Request timed out.


Ping statistics for 172.16.48.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


PC>ping 172.16.48.10


Pinging 172.16.48.10 with 32 bytes of data:


Reply from 172.16.48.10: bytes=32 time=1ms TTL=255
Reply from 172.16.48.10: bytes=32 time=0ms TTL=255
Reply from 172.16.48.10: bytes=32 time=0ms TTL=255
Reply from 172.16.48.10: bytes=32 time=0ms TTL=255


Ping statistics for 172.16.48.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms


PC>ping 172.16.48.20


Pinging 172.16.48.20 with 32 bytes of data:


Reply from 172.16.48.20: bytes=32 time=1ms TTL=255
Reply from 172.16.48.20: bytes=32 time=1ms TTL=255
Reply from 172.16.48.20: bytes=32 time=0ms TTL=255
Reply from 172.16.48.20: bytes=32 time=0ms TTL=255


Ping statistics for 172.16.48.20:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms



PC on VLAN 60
PC>ping 172.16.96.1


Pinging 172.16.96.1 with 32 bytes of data:


Request timed out.
Request timed out.
Request timed out.
Request timed out.


Ping statistics for 172.16.96.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


PC>ping 172.16.96.10


Pinging 172.16.96.10 with 32 bytes of data:


Reply from 172.16.96.10: bytes=32 time=0ms TTL=255
Reply from 172.16.96.10: bytes=32 time=0ms TTL=255
Reply from 172.16.96.10: bytes=32 time=42ms TTL=255
Reply from 172.16.96.10: bytes=32 time=0ms TTL=255


Ping statistics for 172.16.96.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 42ms, Average = 10ms


PC>ping 172.16.96.20


Pinging 172.16.96.20 with 32 bytes of data:


Reply from 172.16.96.20: bytes=32 time=0ms TTL=255
Reply from 172.16.96.20: bytes=32 time=0ms TTL=255
Reply from 172.16.96.20: bytes=32 time=0ms TTL=255
Reply from 172.16.96.20: bytes=32 time=0ms TTL=255


Ping statistics for 172.16.96.20:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms


Looking around I found some other persons with a similar problem so as you said it could be a Packet Tracer Bug:

https://supportforums.cisco.com/discussion/11844926/hsrp-subinterfaces-problem
https://supportforums.cisco.com/discussion/11943711/hsrp-virtual-ip-not-able-ping




Thanks for taking the time to help Hondabuff really appreciate it.

Hondabuff

Do a "show vlan brief" and make sure these are there. Looks like you made the "interface VLAN X" but never made the matching vlans. Could of been the vlan.dat file on my end. Im on PKT 6.2.0.0052
Since I'm lazy and don't want to rebuild the whole topology, I would start over with 2 vlans. I would also use SLA tracking on the trunk ports so when they fail, the HSRP will kick over. Maybe you can post the lab on a share site. I tried dropping the trunk port to the DIST layer from the Access Layer and HSRP failed to do anything.

DISTR1#sho vlan b

VLAN Name Status Ports
----

---

---

---

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Gig0/1, Gig0/2
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
40 VLAN0040 active
50 VLAN0050 active
60 VLAN0060 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

Hondabuff

Play around with this lab I made and get some ideas. This lab is burned in my skull from building it so many times. Play around shutting down all the trunk ports on the Primary switch and watch the HSRP in action. Get a continuous ping going from the PC's to the Gateway and have fun. Its better then a ant farm! You need Packet Tracer 6.2.0.0052

Wikisend: free file sharing service

daniel280187

Hondabuff wrote: »

Do a "show vlan brief" and make sure these are there. Looks like you made the "interface VLAN X" but never made the matching vlans. Could of been the vlan.dat file on my end. Im on PKT 6.2.0.0052
Since I'm lazy and don't want to rebuild the whole topology, I would start over with 2 vlans. I would also use SLA tracking on the trunk ports so when they fail, the HSRP will kick over. Maybe you can post the lab on a share site. I tried dropping the trunk port to the DIST layer from the Access Layer and HSRP failed to do anything.

DISTR1#sho vlan b

VLAN Name Status Ports
----

---

---

---

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Gig0/1, Gig0/2
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
40 VLAN0040 active
50 VLAN0050 active
60 VLAN0060 active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

Yes, they are correctly configured and as yours.

DISTR1#sh vlan brief


VLAN Name Status Ports
----

---

---

---

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Gig0/1, Gig0/2
10 VLAN10 active
20 VLAN20 active
30 VLAN30 active
40 VLAN40 active
50 VLAN50 active
60 VLAN60 active
70 VLAN70 active
80 VLAN90 active
200 MANAGEMENT active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

Thanks for the file. Will play with it.

Will be trying to upload it to a blog as soon it is totally finished and will definitely post it here. Meanwhile send me your email on private and I will send the file you so you can check if can find any mistake.

Cheers!

Hondabuff

For everyone else who is getting into HSRP or CCNP Switch. Do a continuous ping to 192.168.10.1 and do a reload on the Switch 0 and observe how HSRP works.

Hondabuff

Seems to work just fine on the version Im on. Proper campus design, You would not have multiple VLANs blasting all around the campus. You would isolate the vlans to the switch blocks. So 5 VLANS max and that's including your mgt VLAN and then the trunk ports to the access layer you would prune everything except the ones you want going to that block. That way if a hacker gets on you access layer they will only see one VLAN and would never see the Server VLAN via trunking from the core. Once you get the Central switch up and running I would use the Gig ports and route to it via OSPF. Then add another switch off the Central core and make another VLAN for your servers. This way when you have a VLAN failure in your campus you will be able to quickly identify what block it is in. For the sake of study, I would use VTP and in production I would never use it. I made one like this awhile back so you are well on your way. Feel free to blow it up as much as you want. I'm not even sure if it still works and it might make your head hurt trying to T-Shoot it!

Wikisend: free file sharing service MASTER Port Ch.pkt

daniel280187

Hondabuff wrote: »

Seems to work just fine on the version Im on. Proper campus design, You would not have multiple VLANs blasting all around the campus. You would isolate the vlans to the switch blocks. So 5 VLANS max and that's including your mgt VLAN and then the trunk ports to the access layer you would prune everything except the ones you want going to that block. That way if a hacker gets on you access layer they will only see one VLAN and would never see the Server VLAN via trunking from the core. Once you get the Central switch up and running I would use the Gig ports and route to it via OSPF. Then add another switch off the Central core and make another VLAN for your servers. This way when you have a VLAN failure in your campus you will be able to quickly identify what block it is in. For the sake of study, I would use VTP and in production I would never use it. I made one like this awhile back so you are well on your way. Feel free to blow it up as much as you want. I'm not even sure if it still works and it might make your head hurt trying to T-Shoot it!

Wikisend: free file sharing service MASTER Port Ch.pkt

Hahaha 2 days now trying to troubleshoot Packet tracer then. What a waste!!

It really makes more sense to set VLANs per blocks as you suggested and prune all other VLANs in the access switches, not only for security but to make troubleshooting easier.

Regarding the Core Layer, I was thinking OSPF as well but with Layer 3 Etherchannels 6x100 LACP from each DISTR to each CORE Switch, however it seems to me that Packet Tracer is failing as well since I cannot assign IPs to the PortChannel interface even when I've already declared each FastEt port as "no Switchport" to be able to assign IP Addresses (I'll keep looking though to double check is not a problem with my config).

The reasoning behind this is to save the Gig Ports for the Uplink between my Core Switches and the Internet.

I totally agree with you, VTP is better to study or practice and not to use it for real scenarios, I've seen some videos showing the mess it would produce if a new switch is introduced in the network with a higher Revision number and acting as a Server.


One last question...
Where would you add the servers like HTTP, Printing, FS, etc? Would it be in the access layer in each building or would you go to the Distribution layer and why?

I've really learned with your comments today and I think the people reading this as well! Thanks a lot for that.

Hondabuff wrote: »

Hondabuff

Your looking more of a Enterprise/Campus model like this.

_Gonzalo_

Well, you should know that HSRP does not work properly on Packet Tracer.

To be honest, I haven´t checked your configuration. But regarding you design, you do not want those links between access layer´s switches. And you want redundancy with all of them!
If you want to see how it should look like in real life, check the design that Hondabuff posted right above.

Hondabuff

Another way to look at it. Probably never noticed why but this is why most 3750/3850 switches now have 4 SFP ports.

daniel280187

Hondabuff wrote: »

Another way to look at it. Probably never noticed why but this is why most 3750/3850 switches now have 4 SFP ports.

Finally I am able to advance. The problem was definitely the Packet Tracer. Downloaded the version 6.2 and now HSRP is working as well as Layer 3 Etherchannels. I am glad the problem wasn't the config at the end.

I'll stick to my design by now to try to practice as much as possible the topics for CCNA and then will try to optimise the design based on your suggestions.

"Probably never noticed why but this is why most 3750/3850 switches now have 4 SFP ports."

I didn't quite catch what you tried to say here. Can you extend a bit on this?. As I understand SFP are transceivers generally used for ports up to 1 GB and XFP from 10 Gb. So this means this 3750/3850 usually comes with a higher port density (4 Gig ports) because they are used as Core Switches?

Thanks for your invaluable help!

Well, you should know that HSRP does not work properly on Packet Tracer.

To be honest, I haven´t checked your configuration. But regarding you design, you do not want those links between access layer´s switches. And you want redundancy with all of them!
If you want to see how it should look like in real life, check the design that Hondabuff posted right above.

Hi Gonzalo,

Why would I know that PT doesn't works properly with HSRP? haha. I didn't developed PT. If PT didn't support the command "Standby" I would agree with you on that

The purpose of connecting access switches to each other was to get more links and evaluate/understand how STP would set them up, so I wanted to make them as complex as possible.

Thanks for your comments as well, will definitely check the designs.

_Gonzalo_

Good to hear that you´re making progress!

daniel280187 wrote: »

If PT didn't support the command "Standby" I would agree with you on that

About PT and HSRP, the command standby has been there for some versions, but it never worked properly. I have 6.1.1 at the moment, so maybe in your 6.2 it works... Let me know if you open PT lab again and it is still working!

daniel280187 wrote: »

The purpose of connecting access switches to each other was to get more links and evaluate/understand how STP would set them up, so I wanted to make them as complex as possible.

Well, if it helps you... But what Hondabuff meant is that all campus networks have this design. The main reason that a multilayer switch has 3/4 faster ports is to connect redundantly to core and between distribution itself with high speeds so access layer always goes through it.

There is a point where too many links become an issue and have no worthy advantage. Anyway, if you like design, you´ll see this soon enough.

daniel280187

_Gonzalo_ wrote: »

Good to hear that you´re making progress!

About PT and HSRP, the command standby has been there for some versions, but it never worked properly. I have 6.1.1 at the moment, so maybe in your 6.2 it works... Let me know if you open PT lab again and it is still working!

Learned the hard way haha, but now is properly working at least.

_Gonzalo_ wrote: »

Well, if it helps you... But what Hondabuff meant is that all campus networks have this design. The main reason that a multilayer switch has 3/4 faster ports is to connect redundantly to core and between distribution itself with high speeds so access layer always goes through it.

There is a point where too many links become an issue and have no worthy advantage. Anyway, if you like design, you´ll see this soon enough.

Good to know that, I am really enjoying this forum and your comments!. I do like design as well but I think that it is a pretty deep topic so will have to comeback later after playing with my design to optimize it.

Thanks!

_Gonzalo_

So I assume that HSRP finally works consistently on PT. Great news! I just downloaded it and will check it out.

daniel280187 wrote: »

I do like design as well but I think that it is a pretty deep topic so will have to comeback later after playing with my design to optimize it.Thanks!

Yo do that!

It´s not that the design is complicated, but the reasons for it being like that in some cases can be.

daniel280187

Hi again guys,

In the same topic... How would you configure Tracking in the real life for a Port Channel interface (Comprised of 6x100 FaEth Interfaces)?

My Distro Switches have each 1 Port Channel Link (Comprised of 6x100 FaEth Interfaces) towards each Core Switch so what I'd Like to do is to Activate HSRP, ONLY WHEN all the Fast Ethernet Links are down (Port Channel is down).


The option I found reading around was to set a decrement for each link down. Right now the priority of my Active Switch is 105 and the Standby is 100 so If I decrement 1 for each link theoretically the Standby switch will turn into the active switch. If 5 of the ports fail, then both switches will have the same priority. However, my Active switch will keep still as active since it has a higher IP

This is the config I think could work (Not in PT Though).
DISTR1(config-if) Interface VLAN 10
DISTR1(config-if)#standby 10 track fastEthernet 0/1 interface-priority 1
DISTR1(config-if)#standby 10 track fastEthernet 0/2 interface-priority 1
DISTR1(config-if)#standby 10 track fastEthernet 0/3 interface-priority 1
DISTR1(config-if)#standby 10 track fastEthernet 0/4 interface-priority 1
DISTR1(config-if)#standby 10 track fastEthernet 0/5 interface-priority 1
DISTR1(config-if)#standby 10 track fastEthernet 0/6 interface-priority 1

I am asking this given that Packet Tracer doesn't support "Interface Priority" option to decrement a number per each interface that goes down, what it has though is the option to track a specific interface so when the interface goes down, it will decrease the priority in 10 by default. The problem with this option is that the decrement is Non cumulative, so if you have 6 interfaces as I do, then if any of those 6 interfaces goes down the Active switch will only decrease in 10 its priority, even when another interfaces went down will just decrease 10 since it is non cumulative.


Is there any other way to track a Port Channel interface as I need?

Thanks for your comments

Hondabuff

That's why you would bind those interfaces to a port channel. That way you modify the port channel and it updates all 6 interfaces at once. Real world experience shows that it doesn't always play nice. I have had to shutdown the interfaces and port channel and make the change and then bring them back up. Then you do your "standby 1 track port-channel 1 {weight value}. That way if your port-channel drops it will trigger HSRP. You will need real equipment to play with. GNS3 will only get you so far.

daniel280187

Hondabuff wrote: »

That's why you would bind those interfaces to a port channel. That way you modify the port channel and it updates all 6 interfaces at once. Real world experience shows that it doesn't always play nice. I have had to shutdown the interfaces and port channel and make the change and then bring them back up. Then you do your "standby 1 track port-channel 1 {weight value}. That way if your port-channel drops it will trigger HSRP. You will need real equipment to play with. GNS3 will only get you so far.

So what you actually track is the Port Channel instead, no the physical interfaces? That is what I thought at first but didn't find any example tracking the Port channel, not even an option in the IOS to track the port channel and thought people would do it by playing with the decrements on each physical interface. It is very frustrating trying to setup a decent lab in Packet tracer since most of the time wasted is due to Troubleshooting Packet Tracer, not even the actual configs :S


Yes, I really need to buy some gear, it's definitely the best way to learn.


Thanks!