Posted by: Richard @ Configureterminal.com | February 26, 2008

None of it matters if a bomb hits us!

I know I have moved onto BGP and you are probably expecting a post about BGP today but I’m going to quickly post about something I’ve covered in the past– HSRP.
Today, I came across a new design issue due to a new failover system within one of our new web server deployments (AIX); after sitting around a table and agreeing on the design for a new web application with a supplier my colleague had configured our two ‘core’ switches with three separate VLAN’s + SVI’s to deal with three different network functions:
 

MLS 1 =
interface Vlan10
 description Public
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 1 ip 10.10.10.254
 standby 1 priority 110
 standby 1 preempt delay minimum 30
!
interface Vlan11
 description Private
 ip address 10.10.11.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 1 ip 10.10.11.254
 standby 1 priority 110
 standby 1 preempt delay minimum 30
!
interface Vlan12
 description Standby
 ip address 10.10.12.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 1 ip 10.10.12.254
 standby 1 priority 110
 standby 1 preempt delay minimum 30
!

MLS 2 =
interface Vlan10
 description Public
 ip address 10.10.10.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 1 ip 10.10.10.254
 standby 1 priority 105
!
interface Vlan11
 description Private
 ip address 10.10.11.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 1 ip 10.10.11.254
 standby 1 priority 105
!
interface Vlan12
 description Standby
 ip address 10.10.12.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 1 ip 10.10.12.254
 standby 1 priority 105
!


The VLAN’s were then ‘trunked’ to ‘server block’ 3750 stacks and then the servers connected via LACP bundles.

Someone approached me today…. I thought to myself ‘my colleague is on leave but its all pretty standard right?’  (OK, I don’t think ‘my colleague’ in my head! but I haven’t asked his permission to publish his name), then I asked myself ‘what is the standby VLAN/network for?’  So I asked, and this is the explanation I got:
“The standby interfaces are for when a problem is detected using heartbeats on either the public interface(s) or private interface(s), the standby interface will take over the IP address of a failed link so we need everything all in one VLAN”.
Well, that is a new way of doing things!  I’m used to the standard Windows style resilience using public facing + private heartbeat networks but not a ‘floating inteface’!   I had a think… ‘what I am being told means that for the standby interface to be able to mimic either the public or private network connections they all have to be within the same broadcast domain as 10.10.10.254 + 10.10.11.254 + 10.10.12.254’  I complained about what I was being asked to do….. both the public and private links have LACP bundles so the chances of both bundled interfaces failing….. troubleshooting…. dot1q?
I also thought about enabling proxy-arp on the three VLAN’s but due to the automatic disabling of it across our network (it’s become routine) I thought it will more than likely be disabled by another member of the team sometime in the future, I also don’t like the idea of relying on proxy-arp for a core system or adding the kind of load that we could be adding in the event of a failure to our ‘creaking’ switches.

I decided to do what I was told but then I had to stop and think again… ‘does HSRP support secondary IP addresses?’  I ‘googled’ it and the answer is yes:

Option 1 (what I did):
MLS 1=
no interface vlan 11
no interface vlan 12
!
no vlan 11
no vlan 12
!
interface Vlan10
 description Web Services
 ip address 10.10.12.1 255.255.255.0 secondary
 ip address 10.10.11.1 255.255.255.0 secondary
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 1 ip 10.10.10.254
 standby 1 ip 10.10.11.254 secondary
 standby 1 ip 10.10.12.254 secondary
 standby 1 priority 110
 standby 1 preempt delay minimum 30
!

MLS 2=
interface Vlan10
 description Web Services
 ip address 10.10.12.2 255.255.255.0 secondary
 ip address 10.10.11.2 255.255.255.0 secondary
 ip address 10.10.10.2 255.255.255.0
 no ip redirects
 no ip unreachables

 no ip proxy-arp
 standby 1 ip 10.10.10.254
 standby 1 ip 10.10.11.254 secondary
 standby 1 ip 10.10.12.254 secondary
 standby 1 priority 105
!

Option 2:
MLS 1=
interface Vlan10
 description Web Services
 ip address 10.10.12.1 255.255.255.0 secondary
 ip address 10.10.11.1 255.255.255.0 secondary
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 1 ip 10.10.10.254
 standby 2 ip 10.10.11.254
 standby 3 ip 10.10.12.254
 standby 1 priority 110
 standby 1 preempt delay minimum 30
 standby 2 priority 110
 standby 2 preempt delay minimum 30
 standby 3 priority 110
 standby 3 preempt delay minimum 30
!

MLS 2=
interface Vlan10
 description Web Services
 ip address 10.10.12.2 255.255.255.0 secondary
 ip address 10.10.11.2 255.255.255.0 secondary
 ip address 10.10.10.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 1 ip 10.10.10.254
 standby 2 ip 10.10.11.254
 standby 3 ip 10.10.12.254
 standby 1 priority 105
 standby 2 priority 105
 standby 3 priority 105
!

 

Post-changes:
Switch1#sho standby vlan 10
Vlan70 – Group 1
  State is Active
    2 state changes, last state change 1d00h
  Virtual IP address is 10.10.10.254
    Secondary virtual IP address 10.10.11.254
    Secondary virtual IP address 10.10.12.254
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.123 secs
  Preemption enabled, delay min 30 secs
  Active router is local
  Standby router is 10.10.10.2, priority 105 (expires in 8.767 sec)
  Priority 110 (configured 110)
  IP redundancy name is “hsrp-Vl70-1” (default)
!
Switch 2 =
Vlan70 – Group 1
  State is Standby
    2 state changes, last state change 01:51:57
  Virtual IP address is 10.10.10.254
    Secondary virtual IP address 10.10.11.254
    Secondary virtual IP address 10.10.12.254
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.396 secs
  Preemption disabled
  Active router is 10.10.10.1, priority 110 (expires in 8.676 sec)
  Standby router is local
  Priority 105 (configured 105)
  IP redundancy name is “hsrp-Vl70-1” (default)
!


I chose option 1 because only one mac-address is used for all the IP addresses, the configuration takes up less lines (simply add the secondary keyword), and failover occurs for all IP’s in tandem.  Option 2 is advantageous when you need to split the active routers for different IP addresses and/or want a different mac-address per IP address.

From my past experiences I expect that things will change again and I will be rolling back to the old config……

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: