10 Replies Latest reply: Sep 19, 2011 6:07 AM by Todd RSS

    Deploying the L2 /L3 Boundary at the Distribution Layer

    Todd

      Hello, when deploying the L2 /L3 Boundary at the Distribution Layer and distribution switches have L3 interlink it looks like Figure 58 here.

      VLANs 20, 140 use uplinks to the left distribution switch, VLANs 40, 120 use uplinks to the right distribution switch.

       

      Tell me please, how to switch HSRP default gateway to right distribution in case of uplink failure between left access and distribution switches (VLAN 20 failover)? Right distribution switch does not have any VLAN 20 if I'm correct.

       

      As there is L3 interlink and VLANs do not span switches - therefore HSRP failover not possible?

       

      ----

       

      If right distribution switch DOES have VLAN 20 as well, then in case of this failure between D and A on left side, both distribution switches will be Active for VLAN 20 (they will both lose HSRP hellos in VLAN 20). So the returning traffic might come on the wrong left side and be then dropped (directly connected VLAN20 down).

       

      Any ideas?

       

      Thank you.

        • 1. Re: Deploying the L2 /L3 Boundary at the Distribution Layer
          tnewshott

          In that diagram the links between the distribution and the access layer are Layer 2, with the inter-distribution link being Layer 3.  This means that both distribution switches must have all of the access VLANs defined on them, and here is why....

           

          This is typically referred to as a V-topology, since given the two distribution switches and any particular access switch, the L2 links form a V. HSRP communicates across multicasts for it's hellos, which will be propogated from the active distro switch down to the access switch and then subsequently will be forwarded up to the standby distro switch.

           

          The idea behind the V topology is that if either the active distro switch or the link to the active distro switch goes down, the standby will notice the drop of hellos and will grat-arp the virtual MAC for the VIP and will then start forwarding traffic.

           

          Does that make more sense? if not please let me know and we can try and clear up any other particular points.

          • 2. Re: Deploying the L2 /L3 Boundary at the Distribution Layer
            Brian

            Very nice explanation.  I used a sample configuration under the CCDP thread to basically say the same thing, but I do like how you articulated it in words so eloquently.

             

            Brian

             

            • 3. Re: Deploying the L2 /L3 Boundary at the Distribution Layer
              tnewshott

              Why thank you sir!  You taking the time to build the config such as you did is equally impressive though. 

              • 4. Re: Deploying the L2 /L3 Boundary at the Distribution Layer
                Todd

                Travis, yes then my second part:

                If right distribution switch DOES have VLAN 20 as well, then in case of this failure between D and A on left side, both distribution switches will be Active for VLAN 20 (they will both lose HSRP hellos in VLAN 20). So the returning traffic might come on the wrong left side and be then dropped (directly connected VLAN20 down).

                 

                Am I right this can/will happen?

                • 5. Re: Deploying the L2 /L3 Boundary at the Distribution Layer
                  tnewshott

                  Both Distribution switches will have all of the VLANs - that is how this works.  If you don't have the VLANs on both switches, you cannot fail over for L2 forwarding. 

                   

                  Yes, there is a failure potential. You can resolve that by tracking the uplink port for that access switch under the VLAN, so that if the port goes down, the SVI goes down as well.

                  • 6. Re: Deploying the L2 /L3 Boundary at the Distribution Layer
                    Todd

                    Well tracking would not help as it works by comparing self tracked priority to the priority of other HSRP member and this will be missing in this scenario.

                    In other words D would only decrease priority and that's it. It would be still Active with decreased priority and SVI 20 would not be shutted down.

                     

                    Just to be on a same page, in posted figure:

                    -consider uplink from left A to left D fails - VLAN 20 affected

                    -left D and right D are at the moment both active for VLAN 20

                    -on Core there is traffic returning to host within VLAN 20

                    -Core sees summarized routes from both D

                    -Core selects left D to send this traffic on

                    SVI 20 should be down/down now - so traffic destined to VLAN 20 should be dropped. But if this is it, there is no real redundancy with this L3 interlink approach.

                    • 7. Re: Deploying the L2 /L3 Boundary at the Distribution Layer
                      tnewshott

                      Todd, I think you misunderstood me.  I meant using EOT : http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/fthsrptk.html

                       

                      By tracking the link state/line status of the local uplink on the distros, you can then shut down the SVI if the physical link goes down.  This then avoids the black hole issue if the SVI was being routed to dynamically. 

                       

                       

                       

                      With that said, any time you summarize you run the risk of black holing traffic, regardless of HSRP.  I would not advocate summarization in this case for obvious reason which you've discovered.

                      • 8. Re: Deploying the L2 /L3 Boundary at the Distribution Layer
                        Todd

                        Travis,

                         

                        Thank you for this. Never heard of it and need to go thru that document.

                         

                        BTW, do you think this is the proper way, I mean is this how everyone is actually dealing with this routed distribution interlink? For me it looks more like a workaround and not native solution.

                        • 9. Re: Deploying the L2 /L3 Boundary at the Distribution Layer
                          tnewshott

                          With a L2 link between the distribution switches, you have to rely on STP (whatever variant you are running), and that adds another caveat to bring up.  STP root has to be where the HSRP Active(primary) will be, and when HSRP fails over, STP should as well. 

                           

                          With that said, with the L3 link between the devices, you avoid the STP issue and rely on EIGRP.  Cisco has done studies(whcih I'd have to look up to find, but I can if you'd like) that says for typical campus design, routed to the access via EIGRP with tuned timers results in quicker convergence than even the best deployment of RPVST+(or any other L3 protocol for that matter). 

                           

                          FWIW the project I'm currently on, we're routing all the way to the access layer in the campus, so EIGRP controls it all.  Say hello to equal cost load balancing by default.

                          • 10. Re: Deploying the L2 /L3 Boundary at the Distribution Layer
                            Todd

                            Today had a chance to lab this on real switches. Well when VLAN is down HSRP tied with this SVI is down as well (well it's logical after all). So right D is then getting route via routing protocol running over interlink. Therefore this design is proven to be usable now.

                             

                            States on right D would be:

                            SVI: down/down

                            HSRP: Init unknown/unknown