HSRP Limitations on 6509’s
Well I had to create some new VLANs on a pair of 6509’s with dual Sup 2’s with MSFC2’s. These 6509’s had a few dozen VLANS already configured and lots of the VLANS had HSRP configured.
So I created the new VLANs and then the VLAN interfaces on the MSFC. I added the IP Address and then went to setup the HSRP config and received an error.
MSFC-A-PRI(config)# int vlan229
MSFC-A-PRI(config-if)# description VLAN for Database Servers
MSFC-A-PRI(config-if)# ip address 172.25.229.2 255.255.255.0
MSFC-A-PRI(config-if)# ip access-group vlan229 in
MSFC-A-PRI(config-if)# standby 229 ip 172.25.229.1
More than 16 standby groups not supported in this platform.
WTF?
I then realized I was running into this limitation.
I had previously configured each VLAN # with the same standby group #. See here…
MSFC-A-PRI#sh runn int vlan165
Building configuration...
Current configuration : 321 bytes
!
interface Vlan165
description Wireless VLAN , SSID:public-access
ip address 172.25.165.2 255.255.255.0
ip access-group vlan165 in
ip helper-address 172.25.224.255
no ip redirects
no ip unreachables
ip route-cache policy
ip policy route-map 165-vlan
standby 165 ip 172.25.165.1
standby 165 priority 110
standby 165 preempt
standby 165 authentication hsrppass
end
MSFC-A-PRI#sh runn int vlan166
Building configuration...
Current configuration : 304 bytes
!
interface Vlan166
description Wireless VLAN , SSID:guest-internet
ip address 172.25.166.4 255.255.255.0
ip access-group vlan166 in
ip helper-address 172.25.224.255
no ip redirects
no ip unreachables
ip route-cache policy
ip policy route-map 166-vlan
standby 166 ip 172.25.166.1
standby 166 priority 108
standby 166 authentication hsrppass
end
MSFC-A-PRI#
MSFC-A-PRI# sh standby
….output truncated….
Vlan165 - Group 165
Local state is Active, priority 110, may preempt
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 2.088
Virtual IP address is 172.25.165.1 configured
Active router is local
Standby router is 172.25.165.3 expires in 7.584
Virtual mac address is 0000.0c07.aca5
Authentication text "hsrppass"
1 state changes, last state change 36w5d
IP redundancy name is "hsrp-Vl165-165" (default)
Vlan166 - Group 166
Local state is Listen, priority 108
Hellotime 3 sec, holdtime 10 sec
Virtual IP address is 172.25.166.1 configured
Active router is 172.25.166.2, priority 110 expires in 8.616
Standby router is 172.25.166.3 expires in 7.836
Authentication text "hsrppass"
0 state changes, last state change never
IP redundancy name is "hsrp-Vl166-166" (default)
See how the standby groups are the same integer as the interface number. This is preferred, however 6509’s with a Sup2\ PFC2 is limited to 16 HSRP groups. Apparently the 3550 is also limited in this way. Most other 6500 Supervisors are limited to 256 groups which is nicer than the 16 that we are here.
3550 limitation link
Luckily I only have to deal with this on one platform, today…
So here is how I’ll be changing the config on all 4 of the MSFC’s. In the new config all the interfaces will share the same standby Group number where before each interface had its own.
!
! MSFC-A-PRI
!
interface Vlan165
no standby 165 ip 172.25.165.1
no standby 165 priority 110
no standby 165 preempt
no standby 165 authentication hsrppass
standby 10 ip 172.25.165.1
standby 10 priority 110
standby 10 preempt
standby 10 authentication hsrppass
!
! MSFC-A-SEC
!
interface Vlan165
no standby 165 ip 172.25.165.1
no standby 165 priority 109
no standby 165 authentication hsrppass
standby 10 ip 172.25.165.1
standby 10 priority 109
standby 10 authentication hsrppass
!
! MSFC-B-PRI
!
interface Vlan165
no standby 165 ip 172.25.165.1
no standby 165 priority 108
no standby 165 authentication hsrppass
standby 10 ip 172.25.165.1
standby 10 priority 108
standby 10 authentication hsrppass
!
! MSFC-B-SEC
!
interface Vlan165
no standby 165 ip 172.25.165.1
no standby 165 priority 107
no standby 165 authentication hsrppass
standby 10 ip 172.25.165.1
standby 10 priority 107
standby 10 authentication hsrppass
!
Now that I’ve reconfig’ed the 2 interfaces (actually I’ve grouped as many as 10 VLANs into a single HSRP Group) I have the ability to create more VLAN interfaces and configure them for HSRP.
See the changes to the HSRP group numbers. The two VLAN interfaces are sharing the same HSRP Group Number , 10.
MSFC-A-PRI#
MSFC-A-PRI#sh standby vlan 165
Vlan165 - Group 10
Local state is Active, priority 110, may preempt
Hellotime 3 sec, holdtime 10 sec
Next hello sent in 2.220
Virtual IP address is 172.25.165.1 configured
Active router is local
Standby router is 172.25.165.3 expires in 8.636
Virtual mac address is 0000.0c07.ac0a
Authentication text "hsrppass"
2 state changes, last state change 02:33:12
IP redundancy name is "hsrp-Vl165-10" (default)
MSFC-A-PRI#sh standby vlan 166
Vlan166 - Group 10
Local state is Listen, priority 108
Hellotime 3 sec, holdtime 10 sec
Virtual IP address is 172.25.166.1 configured
Active router is 172.25.166.2, priority 110 expires in 8.268
Standby router is 172.25.166.3 expires in 8.836
Authentication text "hsrppass"
5 state changes, last state change 02:31:12
IP redundancy name is "hsrp-Vl166-10" (default)
MSFC-A-PRI#
MSFC-A-PRI#
There are lots of caveats listed in the links that may affect you, me, or our friend. One that could affect me, doesn’t on this router but may on another is having multiple HSRP processes running on a router.
Q. Can I only configure a total of 16 HSRP VLAN interfaces or 16 HSRP processes in the Supervisor Engine 2-based system?
A. No. You can use the 16 unique group IDs on as many interfaces as you like. 16 HSRP groups does not mean that you can have only 16 HSRP processes or 16 VLAN interfaces with HSRP enabled. The only caveat is that you can only define up to 16 HSRP processes per interface. However, it is very unlikely that you would need more than 16 HSRP processes per interface in a well-designed network.
On some of our routers we have configured secondary interfaces….. eg….
3845_Access1#sh runn interface FastEthernet2/0.80
Building configuration...
Current configuration : 281 bytes
!
interface FastEthernet2/0.80
description VLAN Link for Outside-Internet
encapsulation dot1Q 80
ip address 1.2.4.4 255.255.255.0 secondary
ip address 1.2.3.4 255.255.255.0
standby 80 ip 1.2.3.1
standby 80 ip 1.2.4.1 secondary
standby 80 priority 210
end
3845_Access1#
Ok, oops, never mind. I am using the same HSRP process for multiple IP addresses that are assigned to the interface. Doesn’t matter anyway, this router is a, , router. I don’t think it has this limitation that the 6509 and 3550, eh, , switches have. If this had been on a 6509 it would be safe(r) since both IP ranges are running on the same HSRP process.
Some other things to note….
Q. What is the implication of the use of the same HSRP group ID on multiple interfaces?
A. When you define the same HSRP group ID on multiple interfaces, they all share the same HSRP virtual MAC address. In most modern LAN switches, there are no issues because they maintain a per-VLAN MAC address table. However, if your network contains any third party switches which maintain a system-wide MAC address table regardless of VLAN, you may experience problems. If VLANs are not specified to a HSRP group, the VLANs default to Group 0.
Q. What does the HSRP MAC address look like?
A. The HSRP MAC address is derived from the group number, and looks like this:
0000.0c07.acXX
XX is the HSRP group number.
Captain says, Route Responsibly
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment