Welcome back! Today, we’ll continue with HSRP, working with a slightly more complex topology. If you haven’t read part one yet, you can find it here.

We’re going to create a few more VLANs, and the design will be modified to add in some load balancing. Our HSRP router DSW2 is exactly the same device as DSW1, but it’s in Standby mode and could be better utilized in a larger topology. By having some of our VLAN traffic route through DSW2, we can make better use of network resources while maintaining a redundant and predictable solution. Our layer two topology plays a big part in our design, as we want to make sure we have as many links as possible in a forwarding state while ensuring loop-free connectivity. Let’s take a look at the left-hand side of the original topology from a layer two perspective.

You can see that our uplink to DSW2 is blocking to avoid a loop, which is normal spanning tree behavior. However, what would be better is if we minimize the role of spanning tree by making the link between DSW1 and DSW2 layer three instead of layer two (let’s face it, spanning tree can be the devil). By doing this, both uplinks from the access layer to DSW1 and DSW2 will be forwarding (though our VLAN 50 traffic will always take the path through DSW1). There won’t be a loop at layer two providing we implement some controls on what VLANs are allowed on certain trunks, and convergence time will be reduced as there won’t be a fight over who and what port is forwarding in the event of a topology change.

Cisco on best practice for optimal convergence

“Only use L2 looped topologies if it cannot be avoided. In general practice, the most deterministic and best-performing networks in terms of convergence, reliability, and manageability are free from L2 loops and do not require STP to resolve convergence events under normal conditions. However, STP should be enabled to protect against unexpected loops on the access or user-facing interfaces.” See: Campus Network for High Availability Design Guide

A word on asymmetric routing

In order for the topology to be redundant, both DSW1 and DSW2 need to advertise the VLAN 50 subnet into the core. This will provide two equal cost return paths for traffic by default. On the return path in this scenario, some of the traffic would flow from the core to DSW1, and then to SW1, and some traffic would flow via DSW2. This is known as asymmetric routing, when traffic is routed back via a different path to the one it was sent on. (Access to Core traffic will always flow via DSW1 unless DSW2 becomes the Active HSRP router.) Depending on what packets you’re pushing around the network, you may want to configure a more predictable return path as asymmetric routing can cause problems in some environments. Having a more predictable path will make troubleshooting easier too. You can do this by tuning your routing protocol’s metric so that the route to VLAN 50 via DSW1 is preferred.

Let’s take a look at the design of our new topology for VLAN 50:

Both uplinks from SW1 are forwarding from a spanning tree perspective (see more detail below on VLAN control).

We’ve added the layer three link between the distribution switches which has taken a much desired chunk out of spanning tree’s influence on the network. This also means that hellos between the two HSRP routers will pass via the access layer due to the layer two HSRP connectivity requirement. This isn’t a problem based on our configuration, but it would pay to review your design based on access layer switch inter-connectivity.

The full topology

Okay, so let’s look at the larger topology with a few more VLANs. In order to more efficiently use the hardware we’ll add load balancing by configuring VLANs 20 and 50 to use DSW1 as a gateway by making it the Active HSRP router and RSTP root for those VLANs. On the right hand side of the topology we’ll configure VLANs 80 and 100 on SW2 to use DSW2, making DSW2 the Active HSRP Router and RSTP root.

Configuration of DSW1

interface Vlan20
ip address 10.10.20.2 255.255.255.0
standby 20 ip 10.10.20.1
standby 20 timers msec 200 msec 600
standby 20 priority 150
standby 20 preempt delay minimum 60
!
interface Vlan50
ip address 10.10.50.2 255.255.255.0
standby 50 ip 10.10.50.1
standby 50 timers msec 200 msec 600
standby 50 priority 150
standby 50 preempt delay minimum 60
!
interface Vlan80
ip address 10.10.80.3 255.255.255.0
standby priority 110
standby 80 ip 10.10.80.1
standby 80 timers msec 200 msec 600
standby 80 priority 110
standby 80 preempt delay minimum 60
!
interface Vlan100
ip address 10.10.100.3 255.255.255.0
standby 100 ip 10.10.100.1
standby 100 timers msec 200 msec 600
standby 100 priority 110
standby 100 preempt delay minimum 60
!

You’ll notice the standby numbers have been set to match the VLAN numbers for ease of management.  The preempt delay has been kept at 60 but Cisco recommends timing the switch boot time and setting the delay value accordingly. You can reach more about this in the High Availability Design Guide I linked to above.

Configuration of DSW2

interface Vlan20
ip address 10.10.20.3 255.255.255.0
standby 20 ip 10.10.20.1
standby 20 timers msec 200 msec 600
standby 20 priority 110
standby 20 preempt delay minimum 60
!
interface Vlan50
ip address 10.10.50.3 255.255.255.0
standby 50 ip 10.10.50.1
standby 50 timers msec 200 msec 600
standby 50 priority 110
standby 50 preempt delay minimum 60
!
interface Vlan80
ip address 10.10.80.2 255.255.255.0
standby 80 ip 10.10.80.1
standby 80 timers msec 200 msec 600
standby 80 priority 150
standby 80 preempt delay minimum 60
!
interface Vlan100
ip address 10.10.100.2 255.255.255.0
standby 100 ip 10.10.100.1
standby 100 timers msec 200 msec 600
standby 100 priority 150
standby 100 preempt delay minimum 60
!

Verification

Looking good, but there’s just one more thing to take care of to cement the paths at layer two. If the link between SW1 and DSW1 goes down we want DSW2 to become the RSTP root, otherwise traffic could flow through SW2 at the Access layer on the right to get to DSW1.  This is what could happen:

To avoid this issue, we need to remove certain VLANs from trunks that don’t need to carry them. The trunk between DSW2 and SW2 shouldn’t carry traffic for VLAN 20 or 50, so we’ll remove it on DSW2:

Likewise on DSW1, we remove VLANs 80 and 100 from the trunk to SW1:

Authentication

Finally, we’ll turn on MD5 authentication. Think back to when you last configured EIGRP authentication, because we’re going to make use of the key chain system.

This configuration needs to be repeated for each VLAN on DSW1 and DSW2. You’re able to make use of the accept-lifetime and send-lifetime parameters under the key chain configuration. If you don’t have HSRP authentication configured for one of the VLANs on the other switch you’ll see:

Great, we’re done for this post! But remember that you need to tune RSTP and routing protocol timers so they’re all in sync with HSRP, then convergence and re-convergence will be seamless. Interface or object tracking should also be configured to decrements links and change Active/Standby router accordingly. There are many ways you can adjust your design for different business requirements so get creative!