VLAN interface and STP

Ok, so suppose I have a layer 2 access switch connected to two layer 3 core switches for redundancy... if I want to implement redundancy (without a FHRP) then I'm going to have to configure both core switches VLAN interfaces with identical IP addresses-- right? My question is, is this a valid design? Obviously I'd expect to get notifications in IOS, but apart from that is there a problem with this design?

Thank you.

Find more posts tagged with

Comments

amb1s1

You can't have the same ip on two different device. Is the interconnection between the core and the access a layer 3 connection or Layer 2? If it is a layer 3 routing should take care redundancy. If it is layer 2, use different IPs on the core and you still would have redundancy, just allow the vlan on the trunk.

Trifidw

Ignoring everything else that's wrong with the design, connected PC's will not be able to access anything outside of their subnet when their router fails until their arp cache timesout.

There is a reason why protocols such as HSRP exist...

Eildor

amb1s1 wrote: »

You can't have the same ip on two different device. Is the interconnection between the core and the access a layer 3 connection or Layer 2? If it is a layer 3 routing should take care redundancy. If it is layer 2, use different IPs on the core and you still would have redundancy, just allow the vlan on the trunk.

The connection between access and core is layer 2 as I alluded to in my first post.

If I were to have different IP addresses on the VLAN interfaces then I'd be in trouble if one of the core switches were to go down, since they are the default gateway.

Eildor

Trifidw wrote: »

There is a reason why protocols such as HSRP exist...

Ok, sure... and if you don't have layer 3 access switches which support FHRP?

Trifidw

Eildor wrote: »

Ok, sure... and if you don't have layer 3 access switches which support FHRP?

What model is the switch? I'll sell you 2 3550's that support HSRP for £200...

I'd have the second switch as a cold standby with the routed interface in a shut state. If the first switch fails it is a simple of case of "no shut". If they need no downtime, tell them to get some money. Or if I was dead set on having a terrible lukewarm standby solution, I wouldn't look into the possibility of having a DHCP server on each L3 switch, advertising its own unique IP address as the default gateway and only having access to half the IP address scope.

Eildor

Trifidw wrote: »

What model is the switch? I'll sell you 2 3550's that support HSRP for £200...

I'd have the second switch as a cold standby with the routed interface in a shut state. If the first switch fails it is a simple of case of "no shut". If they need no downtime, tell them to get some money. Or if I was dead set on having a terrible lukewarm standby solution, I wouldn't look into the possibility of having a DHCP server on each L3 switch, advertising its own unique IP address as the default gateway and only having access to half the IP address scope.

This is all just theoretical, as I was curious.

But I guess you're right, layer 3 switches are cheap enough not to have to work around STP.

Forsaken_GA

The first problem is that you're not defining redundancy. What kind of redundancy are you looking for, layer 2 or layer 3?

Layer 2 redundancy, you'd be fine with since the access switch has a link to each core switch. One link fails, it goes the other way.

And I could probably do layer 3 redundancy utilizing floating static routes. Have the layer 3 switch with the vlan's default gateway on it advertise that route via an IGP, and then define a static route for the gateway pointing out the secondary switches default path out with a higher administrative distance than the IGP... if the first switch goes down, the 2nd switch loses the route, and it's static kicks in. Whether or not you'd need any further static routes to get the return traffic through depends on the design further upstream.

So while it's certainly possible to get redundancy without deploying a FHRP, it's foolish to be deploying core gear without the capability of at least HSRP/VRRP.

And your layer 3 redundancy has absolutely nothing to do with STP.

Eildor

Forsaken_GA wrote: »

And your layer 3 redundancy has absolutely nothing to do with STP.

Of course, I was referring to layer 2 redundancy and inter-VLAN routing.

Forsaken_GA

Eildor wrote: »

Of course, I was referring to layer 2 redundancy and inter-VLAN routing.

and Inter-Vlan routing is a layer 3 function, not a layer 2 one, and has nothing to do with STP. Redundancy for one does not equate to redundancy for another.

Your layer 2 redundancy is fine, since you've got two links. Link to the switch with the gateway SVI dies, no problem, it goes the other link and you've maintained end to end.

Now let's say the switch with the gateway SVI dies entirely. Your layer 2 redundancy is *still* there, it'll go via the other link, however, since the SVI is down, your traffic dies there, since you're not deploying any layer 3 redundancy.

Entirely separate problems with entirely separate solutions.

Eildor

Forsaken_GA wrote: »

Now let's say the switch with the gateway SVI dies entirely. Your layer 2 redundancy is *still* there, it'll go via the other link, however, since the SVI is down, your traffic dies there, since you're not deploying any layer 3 redundancy.

Entirely separate problems with entirely separate solutions.

But that's what I'm trying to say, if I have both of the layer 3 switches configured with SVI's with identical IP addresses then I have some layer 3 redundancy don't I? And the reason I mention STP is because, sure, if STP wasn't blocking one of the redundant links then I'm going to have an issue due to the duplicate IP addresses, but since STP is blocking one link the duplicate SVI IP addresses shouldn't cause a problem to devices connected to the access switches... or at least that's what I thought.

I'm sorry I'm confusing myself, and probably you.

Forsaken_GA

Eildor wrote: »

But that's what I'm trying to say, if I have both of the layer 3 switches configured with SVI's with identical IP addresses then I have some layer 3 redundancy don't I? And the reason I mention STP is because, sure, if STP wasn't blocking one of the redundant links then I'm going to have an issue due to the duplicate IP addresses, but since STP is blocking one link the duplicate SVI IP addresses shouldn't cause a problem to devices connected to the access switches... or at least that's what I thought.

I'm sorry I'm confusing myself, and probably you.

If you dupe the IP within the VLAN, you're going to create ARP problems, and depending on how you advertise the SVI(s) to the rest of the routing domain, you're also going to create asymetric routing, which may cause issues with your firewalls if you're doing reverse path checking, screw with the delay and jitter on your VOIP calls if you're doing that, and so on.

The point I'm trying to make is that STP does not solve layer 3 problems, and continuing to think it does is going to cause you massive amounts of headaches. Either accept the lack of layer 3 redundancy, or deploy one of the solutions specifically developed for it.

Eildor

Forsaken_GA wrote: »

If you dupe the IP within the VLAN, you're going to create ARP problems, and depending on how you advertise the SVI(s) to the rest of the routing domain, you're also going to create asymetric routing, which may cause issues with your firewalls if you're doing reverse path checking, screw with the delay and jitter on your VOIP calls if you're doing that, and so on.

The point I'm trying to make is that STP does not solve layer 3 problems, and continuing to think it does is going to cause you massive amounts of headaches. Either accept the lack of layer 3 redundancy, or deploy one of the solutions specifically developed for it.

I see your point, cheers mate.