networker050184 wrote: » First to asnwer question B, yes there is usually a L2 link between dist switches that share an HSRP pair. HSRP needs L2 connectivity obviously and relying on the access layer for this is not the best idea. You don't want the operation of your distribution layer tied to the access layer.
networker050184 wrote: » You are also thinking of a perfect world where all VLAN members are on a single access switch when in reality they are likely to span multiple access switches in a switch block.
gorebrush wrote: » The best HSRP solutions I've seen have all been the ones where they track a crossover interface between them and not have EOT's out their WAN links. It makes the whole solution a waste of time because as long as each router can see it's partner, but the WAN link has gone down - the failover never occurs. It's worthless.
_Gonzalo_ wrote: » D1-D2 | X | A1 A2 Let´s say that all hosts on VLAN 1 are connected to A1. D1 is the HSRP active and STP root. In this case, we´ll have all D1 links as designated, and the remaining D2 links in blocking state, so the resulting STP topology would be: D1-D2 | \ A1 A2 If link D1-A1 goes down, STP recalculates and D2-A1 will go designated. But as no track is configured, HSRP active router will still be D1, as: D1-D2 . X A1 A2
gorebrush wrote: » enhanced object tracking.......
instant000 wrote: » Hope this helps.
EdTheLad wrote: » Looking at your ideal world scenario, where all hosts in vlan 1 are on A1, we don't need the link between D1 and D2 to be forwarding. The best design would be to modify the STP costs so that D1-A1 and D1-A2 are forwarding for vlan 1. The hsrp hello for vlan 1 between D1 and D2 would go via A1, so if there was a failure on one of the access links, both D1 and D2 go active and hence whichever has the access link up will become the gateway.
_Gonzalo_ wrote: » According to what I know, if D1 is the STP root, all ports have to be designated and your solution could not be applied. Therefore, I understand that you would have A1 and A2 as primary and secondary STP roots. The topology would be a little messy, as:
EdTheLad wrote: » The STP root will have all it's ports a designated forwarding, any switch connected directly or indirectly will examine it's received bpdu's to see which port has the lowest cost and will be come the root port. D1-D2 cost 100 D1-A1 cost 10 D2-A1 cost 10 D2 receives 2 bpdu's, one from D1 with cost 100, one from A1 with cost 20, 20 is lower, port connected to A1 is the root port, port connected to D1 is blocked.
EdTheLad wrote: » Another interesting thing to look at in this design is, imagine you enabled an igp between D1 and D2 via A1. With icmp redirect enabled, you could have the host bypass the hrsp gateway and send to the best next hop per destination.
_Gonzalo_ wrote: » Wow! Now I get what you mean. But, wouldn´t we be in the same situation I described? D1 and D2 would still be L2 neighbors.
Cisco Doc wrote: Extending the relationship between ICMP redirects and HSRP provides a solution to this problem, allowing you to take advantage of the benefits of both HSRP and ICMP redirects. Two (or more) HSRP groups are run on each subnet, with at least as many HSRP groups configured as there are routers participating. The priorities are configured so that each of the routers is master of at least one HSRP group. When one router determines to redirect an endstation to a different router for a specific destination, then instead of redirecting the endstation to that other router's IP address, it finds an HSRP group that is being mastered by that router, and redirects the endstation to the corresponding virtual IP address. If that target router then fails, HSRP ensures that another router takes over its job and, perhaps, redirects the endstation to yet another, again virtual, router.
EdTheLad wrote: » True, call that an oversight .
EdTheLad wrote: » But with this scenario we don't even need that link between D1 and D2, so you could prune vlan 1 off it!
EdTheLad wrote: » So we go back to the original design with the link between D1 and D2 as forwarding, enable an igp across this link with a low cost and have icmp redirects enabled. Now when the link between A1 and D1 fails, traffic will go via D2 to D1. If D1 see's a better route to the destination via D2 it will send an icmp redirect to the hosts to bypass the hsrp ip and use D2 as the default gateway even though D2 is the standby router in the hsrp group.
EdTheLad wrote: » Originally Posted by Cisco Doc Extending the relationship between ICMP redirects and HSRP provides a solution to this problem, allowing you to take advantage of the benefits of both HSRP and ICMP redirects. Two (or more) HSRP groups are run on each subnet, with at least as many HSRP groups configured as there are routers participating. The priorities are configured so that each of the routers is master of at least one HSRP group. When one router determines to redirect an endstation to a different router for a specific destination, then instead of redirecting the endstation to that other router's IP address, it finds an HSRP group that is being mastered by that router, and redirects the endstation to the corresponding virtual IP address. If that target router then fails, HSRP ensures that another router takes over its job and, perhaps, redirects the endstation to yet another, again virtual, router.
_Gonzalo_ wrote: » Wouldn´t that mess things up, as we could end up having a L2 forwarding link unable to forward traffic?
_Gonzalo_ wrote: » But now, if I wanted to have an IGP across D1-D2 link, that would remove this link from STP. That means that L2 topology would be:
EdTheLad wrote: » How? Hosts on vlan 1 would have a link to D1 and D2, hsrp hello's would go via A1, hosts would have gateway to active.
EdTheLad wrote: » Link between A1-D1 fails, hsrp hello broken, both routers become active, hosts have a path to D2. D1 stops advertising the the route as local interface is down. Both forward and return path are good. Link between A1-D2 fails path via D1, same story as before.
EdTheLad wrote: » D1-D2 link is a trunk port, with vlan 1 allowed, SV1 for vlan 1 is configured on D1 and D2,
_Gonzalo_ wrote: » I see your point. But you are not taking A2 in consideration. That would work if A2 was not there, but it would not if it is, as we´d be back to D1 and D2 being L2 neighbors, so it´s the same case:
EdTheLad wrote: » Still as per the ideal world scenario, A2 has vlan 2 only. Vlan 2 is in a separate hsrp group, A2 has its both uplinks to D1 and D2. Hosts on vlan 2 hanging off A2 will have a GW pointing to the active hsrp group. Uplink fails same behavior as vlan 1. A1 and A2 are completely isolated from each other, they are running on different vlans. Both D1 and D2 have 2 SVI's, the trunk between D1 and D2 allows vlan 1 and 2.
EdTheLad wrote: » Anyway, it's all just fantasy, vlan's are generally dispersed.
EdTheLad wrote: » , = .
_Gonzalo_ wrote: » I did not mean that. I meant that A2 would still be there for the partial VLAN 1 STP topology.
_Gonzalo_ wrote: » "D1-D2 link is a trunk port, with vlan 1 allowed, SV1 for vlan 1 is configured on D1 and D2" I don´t see how this qualifies as having and "igp across this link" (D1-D2) Either both interfaces have IP and then you include them on igp operation or they do not, including them on STP operation.
EdTheLad wrote: » I just following your ideal world scenario, A1 is the only switch with vlan 1, A2 does not have vlan 1 and hence does not run spanning-tree on vlan 1, so it has no affect on STP for A1, A2 is running its own instance of STP for vlan 2.
EdTheLad wrote: » As you can see in the config above, the switch has a port in vlan 1 which will participate in STP. It has a layer 3 svi associated with the vlan where you enable the igp. I think you need to go back and study the basics to get a good foundation before you go down the design path.
_Gonzalo_ wrote: » Let´s say that all hosts on VLAN 1 are connected to A1.
EdTheLad wrote: » I just followed your design description, if all host belonging to vlan 1 are on A1, why would i have vlan 1 on A2? There would be no point ?
Lucas21 wrote: » Are you sure you're CCNP R&S certified? I hope you mean that you are studying to be and not already certified. Because if you are a CCNP and don't know simple STP and vlan fundamentals, there's something wrong with your study methods.
Lucas21 wrote: » No need for Cisco verification; I believe you. Sorry if I came across as disrespectful.
_Gonzalo_ wrote: » I understand that this SHOULD work. So, as per the first condition, is it correct to assume that datagrams are considered to enter and exit Device1's SVI, or does ICMP redirect has a special behaviour when interacting with HSRP?
EdTheLad wrote: » This is why i told you you need to have an IGP running over the SVI, a redirect is only sent if the adjacent l3 switch has a better route to the destination, that path would be via the SVI interface towards the adjacent l3 switch.
