3 Replies Latest reply: Nov 14, 2017 12:17 AM by eddylynx RSS

    HSRP two groups for one interface

    karthik

      Hello Everyone,

       

      We have a internet gateways setup like below.

       

      Core Switches -> Firewalls -> DMZ switches -> Internet gateway routers.

       

       

      We have a Vlan111 on both DMZ switches with interfaces connected to Firewalls. (FW1 interfaces connected to DMZSW1 vlan111 and FW2 interfaces connected to DMZSW2). Also We have a connection between DMZ switches.

       

      Router 1 connected to DMZSW1 alone. Rouer2 connected to DMZSW2 alone.

       

      Note: We have enabled HSRP  on DMZ Switches only for vlan111. Under VLAN interface configuration, we have two groups configured with different Virtual IP address and priorities.


      Question:

      What is the purpose of Two HSRP groups for same VLAN interface being Active for one group and Standby for another group to take the traffic from Firewalls. VLAN has two physical Gig interfaces towards firewalls.

       

      Running config:


         

      DMZSW02#show run int vlan111

      Building configuration...

       

       

      Current configuration : 414 bytes

      !

      interface Vlan111

      description to Firewalls pub_x.x.48.0/24

      ip address x.x.48.3 255.255.255.0

      no ip redirects

      no ip proxy-arp

      standby 1 ip x.x.48.1

      standby 1 timers 2 5

      standby 1 priority 90

      standby 1 preempt

      standby 1 authentication karthik

      standby 2 ip x.x.48.5

      standby 2 timers 2 5

      standby 2 priority 105

      standby 2 preempt delay minimum 10

      standby 2 authentication karthik

      end

       

       

      DMZSW02#show standby vlan 111

      Vlan111 - Group 1

        State is Standby

          10 state changes, last state change 2d11h

        Virtual IP address is x.x.48.1

        Active virtual MAC address is 0000.0c07.ac01

          Local virtual MAC address is 0000.0c07.ac01 (v1 default)

        Hello time 2 sec, hold time 5 sec

          Next hello sent in 0.256 secs

        Authentication text, string "karthik"

        Preemption enabled

        Active router is x.x.48.2, priority 105 (expires in 4.464 sec)

        Standby router is local

        Priority 90 (configured 90)

        Group name is "hsrp-Vl111-1" (default)

       

      Vlan111 - Group 2

        State is Active

          2 state changes, last state change 20w4d

        Virtual IP address is x.x.48.5

        Active virtual MAC address is 0000.0c07.ac02

          Local virtual MAC address is 0000.0c07.ac02 (v1 default)

        Hello time 2 sec, hold time 5 sec

          Next hello sent in 0.144 secs

        Authentication text, string "karthik"

        Preemption enabled, delay min 10 secs

        Active router is local

        Standby router is x.x.48.2, priority 90 (expires in 4.256 sec)

        Priority 105 (configured 105)

        Group name is "hsrp-Vl111-2" (default)

       

      Thanks in advance.

       

      Regards,

      Karthik

         
        • 1. Re: HSRP two groups for one interface
          eddylynx

          Hello Karthik,

           

          This configuration / setup is called Multigroup HSRP (MHSRP) and allows you to use multiple links at the same time if they are available; so in essence do load sharing on the links.

           

          In your design, if you had used just a single group, only one of your DMZ switches would have been active for VLAN 111 and all traffic would have moved through the single switch and the router connected to it ( say DMZSW1 -> Int GW1). The other leg (DMZSW2 -> Int GW2) would have just been idle until DMZSW2 becomes active for vlan 111.

           

          When you do MHSRP, both DMZ Switches became active for the VLAN 111 using different groups but same network. As such, both links from DMZ Switches to Internet Gateways can be used. If you are using the DMZ switches (int vlan 111)  as a gateway for hosts in VLAN 111 (which is what you would be doing) , part of those hosts will use a default gateway of x.x.48.1 (send your traffic towards DMZSW1) and the other part x.x.48.5 (send your traffic towards DMZSW2).

           

          Of course, if there is failure of any of the DMZ switches, the other takes over the Virtual IP  so you don't need to be changing the default gateway of your hosts.

           

          Regards.

          • 2. Re: HSRP two groups for one interface
            karthik

            Hi Eddylynx,

             

            if there is failure of any of the DMZ switches, the other takes over the Virtual IP  so you don't need to be changing the default gateway of your hosts.

             

            In this case, HSRP will be in active state for both groups and use both VIP's to forward or the  primary group (HSRP instance) VIP will used to forward all the traffic.

             

            Thanks,
            Karthik

            • 3. Re: HSRP two groups for one interface
              eddylynx

              Hello Karthik,

               

              For example if DMZSW1 goes off, DMZSW2 will take over the Virtual IP of Group 1 and be active for Group 1. It will still be active for Group 2. So you wouldn't have to change the default gateway of any host. Hosts with default gateway of x.x.48.1 and x.x.48.5 will then forward to DMZSW2 because it will be active for both Group 1 and Group 2.

               

              Regards.