I am running HSRP on three 4506 switches..S1(active) S2( standby) and S3(listen)..S1 is active for all the vlansRight now, I wanted to make S3 active for two vlans: vlan 10 and 19What would be the impact to the end hosts?Also, can you tell me why the arp is not syncing for all the three devices? [code]
View 4 RepliesI am working on two Nexus 7010 with 5.1.5 NX-OS version. I configure HSRP traditionnaly, Nexus 1 with a priority of 200 and Nexus 2 with a priority of 100 for all vlan.
When I change the priority of a vlan to 200 to 50 for example, Nexus 2 become active and Nexus 1 standby. The problem is that when I do a traceroute from a PC the packet take the Nexus 1 as defaut gateway all the time.....
For information I have a peer link between the 2 Nexus for vPC.
Normally when we do HSRP with vPC on N7K the device will be Active/Standby in control plane but it will be Active/Active in data plane. In this case any traffic reach to standby device it can forward traffic directly to uplink which is not my desire. My goal is all traffic should pass through active (control plane) device in every case unless active device totally dead. So Is it possible for Nexus 7000 to be HSRP Active/Standby in Data Plane ?
View 4 Replies View RelatedI have been reading several posts in this forum to try to understand ACL behaviour on a standby HSRP 6500, I would be glad to get this cleared.I have two 6509 running HSRP for all Vlans...I created VLAN 100 with standby ip address 192.168.1.129 255.255.255.128
Active 6509 (SW01) ip is 192.168.1.130/25, priority 120
Standby 6509 (SW02) ip is 192.168.1.131/25
I have created a DHCP server on the standby 6509 only on the same VLAN 100 with a defaul router of 192.168.1.129 (i.e. the hsrp vip). I connected a pc directly to the ethernet port on the standby 6509 and put it under VLAN 100 and it obtained its ip 192.168.1.200 from the ios dhcp.Now I want to restrict this PC (and any other on its subnet) to access only a remote server 172.168.10.10 and nothing else. I have created the following access list, allowing traffic to the remote server, ospf and hsrp updates,ios dhcp...
Extended IP access list SWRES
10 permit ospf any any log (172 matches)
20 permit ip any host 172.168.10.10
30 permit ip any host 224.0.0.2
40 permit udp any host 255.255.255.255 eq bootpc
50 deny ip any any log (52 matches)
I have applied this ACL on both the 6509s under interface VLAN 100 ip access-group SWRES in
1. When I ping different subnets on the 6509s from the PC, I still receive icmp replies although I expected the acl to pass traffic destined for the remote server only. I do get deny log messages on the Active 6509, but not on the standby 6509 where the PC is connected.
2. Is permitting bootpc in the acl enough for IOS DHCP server and client operation? Do i need to explicitly permit access to the defaul-router configured in the DHCP, which happens to be the VLAN 100 gateway ip and hsrp vip as well (192.168.1.129)
3. I do get deny logs on both the 6509s from the PC trying to access the local VLAN 100 broadcast address on ports 137, 138.
%SEC-6-IPACCESSLOGP: list SWRES denied udp 192.168.1.200(137) -> 192.168.1.255(137)
I have my hsp setup where switch A and switch B share active/standby roles among several vlans. In the last few weeks, i have seen trouble tickets where connectivity is lost and upon investigation i discover that i can ping physical interface IP addresses for both standby and active devices but not the standby IP. I have also validated configurations and layer 2 paths and they haven't been broken.
What I end up doing is failover to the standby device and back and the problem clears, reachability is restored. My question is whether I am solving this the right way. If so, what is it that would cause the standby IP to not be reachable and how does my solution fix that? N/B the switches are catalyst 6509's.
I have router connected to 2 3550 switches directly. 3550A and B switches are running HSRP. OSPF is running between Router and 2 switches.
From Switch B i can ping the Router Wan interface but not the internet sites. from Switch A i can ping any sites?
Switch B
3550SMIB# sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1
[Code]......
If I setup 4948E's in HSRP configuration. And I connect devices to the Standby Unit that do not require redundancy. Will there be any issues passing traffic? I don't believe that standby unit blocks the traffic but wanted to confirm.
View 5 Replies View RelatedI have 2 6509 chasis with one SUP720-3B in each and current IOS is s72033-ipservicesk9_wan-mz.122-18.SXF4 and 2 FWSM with version is 3.3.1 I need to upgrade FWSM system software to 4.1, after checking FWSM 4.1 release notes, I thought of upgrading IOS to latest version to 12.2(33)SXJ.I got new 2 CF of 512MB and downloaded the new IOS on them and need to upgrade 6509 IOS first to meet the requirement for FWSM upgrade.
View 1 Replies View RelatedI went through the configuration guide for 4500 series switches for NSF/SSO for failover between Sup's. I just wanted to know that that are we supposed to run the SSO command on both of the supervisors? Secondly, are we only supposed to run the nsf process under EIGRP on the secondary supervisor and routing peers and not on the primary supervisor?
View 2 Replies View RelatedWe are expanding out LAN network with more 2960 access switches. All the access switches are suppose to be connected to core switch (4507R) but i have less port on the core switch.
On the core switch we have two supervisor engines (WS-X4515 ---description : "Supervisor IV with 2 1000BaseX GBIC ports"). I can see that on each supervisor engine i have two 1 GB SFP ports available and if i calculate for two supervioser engine i will have 4 1GB ports.
But at particular time only one supervisor engine is active and other is in standby mode (redundancy mode used is SSO between two SUP engines).
Can i used all 4 SFP ports for connecting 4 uplinks to the 4 access switch?Will all the 4 SFP ports active at one time or only 2 SFP ports will be active that is for only active supervisor engine.
I was upgrading IOS on 4507 R with dual supervisor.I download the IOS on Active supervisior and did reboot.After reboot i login to switch then i got switch standby prompt.I found that after reboot active supervisior became standby supervisior.
Now new IOS is on standby supervisior.Need to confirm below..So this means that IOS does not syn within the supervisiors as compared to config right ?
-Which command i can use that will copy IOS from standby supe to Active supe??
-Which command i can use that will show both active and standby supe with new IOS?
-Is there any command that i can use to switchover from active to standby supe??
After rebooting a pair of 6504's configured for vss, both switches show active on the sup modules. A show switch virtual redundancy however shows the pair working in an active/standby mode. We have 6509's in vss pairs and they show active on switch1 and standby on switch2 led's. For the 6504's switch 1 was booted first and then the second switch about 30 seconds later. Is there something different with the 6504's? [code]
View 4 Replies View Relatedi have a strange issue with an HSRP Setup. I have two (S1+S2) 3560 as Core/Distribution Layer. Inter-vlan routing are enabled on both Switches. S1 and S2 are connected with an ether channel over four fibre ports. S3 -S5 are the (L2) access layer.
Gi0/1 on S1 and S2 are L3 ports, connect to a Linux Firewall.
HSRP is enabled, S1 is the active router and the STP root bridge.
But, my monitoring via cacti show me, that the Gi0/1 on S2 is active, too! But it should not be active? Only if S1 fails, should S2 the active switch.A client from the access ports on S3 - 5 gets traffic from the Internet via Gi0/1 from S2. Gi0/1 on S1 is active too, but will send mostly traffic to the Internet. Why is S2 active and why route it traffic from the Internet to the client?
I have cisco 4510R L3 switch with installed 2 Sup on slot 5 and 6. the current active Sup is in Slot5 i want to make active Sup6 in slot 6 which is currently standby sup in chassis. Is there any way to make standby Sup to ACTIVE without reloading any of the Supervisor. however there is two way as per my understanding -
1. we can reload the active Sup so that standby Sup will take charge. - (redundancy reload shelf)
2. we can focefully switchover the state of Sup's by (redundancy forcefully swithover) but in above both cases reload will be performed by one of the supervisor. which i don't want.
I have a pair of ASA 5520s operating in failover pair as active/standby, having two contexts on them. I am planning to share the load and make it active/active making first context active on the primary unit and second context active on the secondary unit. My question is if this will disrupt any connectivity thru these firewalls when I do "no failover" on the active/standby and assign the contexts to different failover groups and enable the failover back.
View 6 Replies View RelatedI faced one problem in our core switch 4507 R . Active sup lost connection and standby came active. We got lot of errors/alerts on console shown below. [Code] Also when I reloaded the switch with reload command only both sups got reloaded but I want to reload all the modules but reload command do not gives any options for that.
View 2 Replies View RelatedI m a Network engineer in company, we have around 800 users in the office.Below is the details of my network infra.We have 4506 chasis with IOS version of 12.4 (44r) SG3HSRP is configured for redundancy.HSRP is configured on VLAN besis
The problem that HSRP is not working working properly, When my active VLAN goes down, Standby VLAN act as a Active VLAN but traffice is fail to route trought that VLAN and i m not able to ping another vlan from that VALN.
Adding a vlan 820 to existing port channel trunk which currently allows many vlans. What is the best way to add vlan820 with least impact to network. Portchannels from 6513 core with IOS to Nexus 5k,Copy existing vlans, add 820 and paste under: switchport trunk allowed vlan 1,2,5,12,20,820
View 6 Replies View RelatedWe plan to implement a large number of ACL on our Distribution switch which is a HSRP pair of 6509C switches running on sup-bootflash:s72033-psv-mz.122-18.SXD3.bin WE need to divide the Network in three layers
unsecure layer
Proxy layer
Secure layer
We have approximately 250 vlans on the our distribution switches and plan to implement 15 ACL on different vlans Each ACL can contain upto 30 lines or less.
basic ACL example we will be applying on different vlan
vlan 200
ip access-group test123 in
My question is Can these ACL on a vlan can have a massive impact on the 6509 CPU ?
I have a query regarding the deletion and creation of one of my SVI interface on 6513 ,The reason behind it as follows.My traffic get to Internet in this manner
proxy(external int.)[IP:192.168.1.30] --> Gi0/9[6513 in VLAN 170] --> SVI VLAN 170[IP:192.168.1.10] --> Gi0/10[In VLAN 170] -->ASR[IP:192.168.1.20],I need to assign this VLAN ie 170 to my inside interface of firewall but it was mentioned in books like this "Assign the VLAN for the FWSM before it is applied to the MultilayerSwitch Feature Card (MSFC)." so I am thinking the following steps to assign VLAN 170 to firewall group first before creating SVI Interface for it
1.Remove all currently assign ie Gi 0/9 & Gi0/10 interfaces from this VLAN and then delete this VLAN.
2.Create the same SVI ie VLAN 170[IP:192.168.1.10] by this way the issue can be resolved.
As in part of my configuration PBR is define like this .
interface Vlan170
description "PUBLIC IP VLAN"
ip address 192.168.1.20. 255.255.255.0
ip policy route-map NAT
route-map NAT permit 10
match ip address 101
set ip next-hop 192.168.1.10
I need to clearify what impact it may have on PBR part if I delete and create the VLAN 170.Will the traffic move to the inside interface of FWSM.
I wanted to know if there is a way of upgrading the IOS on a stack of 6 - 8 3750's with minimal impact at reload. Is there a way to reload one member at a time?
View 3 Replies View RelatedI am trying to find out what the maximum amount of HSRP/Standby groups a Cisco 3945 will support. I found this link that I think says 256 URL.
View 6 Replies View RelatedThe 6509 Series Switches support the scenario VSS Active-Active Chassis, I would like to setup both switch's as one virtual switch but working at the same time, not with Active - Stand By Chassis.
My plans it to create PortChannel accross both Switches 6509 in order to have 2 links one connected to one slot/switch and the other connected to slot/switch in the second 6509 for servers redundancy.
I am working on a network which has two ISP connections (Active/Active) terminating on router (ASR1000). From the LAN side (6500 switch) all the traffic need to be route on ISP1 but some of the specific subnets like 10.250.0.0/16 need to be route on ISP2 connection.
I am planning to use PBR and NAT with route maps. any documents or refrences are provided.
(access switches)---------(core switch)----------(routers)----------------(ISP1)
----------------------(ISP2)
We are preparing to upgrade from LMS 3.2 where we run 2 seperate independant instances in seperate locations for redundancy. Each instance forwards syslog traps to a seperate Openview system in the associated location. Device updates are manually done on each system.
To reduce costs and administrative overhead we are considering switching to an active-standby environment when we upgrade to LMS 4.2 where the active system would forward traps to both Openview systems.
Any experience with an active-standby Ciscoworks LMS 4.2 environment, specifically; When one system becomes unavailable (due to network, system or application issues) is promoting the standby system to active automatic?How long does it take?
Does the standby system still monitor syslog events and initiate automated actions? Where the active system stops working or hangs and the standby system does not go active?
Are there any reliability issues with database updates or synchronization from the active system to the standby system? Is there a way to test communications from the standby system for new device turn-ups without making it active?
I would like to work with two ASA's 5550 in HA (Acitve-Standby) like perimetral firewalls and also work with another ASA 5540 but like a SSL VPN Remote Access to end users.Which will be the best topology to this scenary?. Perhaps i need to put the ASA 5540 SSL VPN together with the ASA's in HA directly in a port.
View 1 Replies View RelatedI'm not quite ready for the Automatic Failover feature that the ASA 5520 support. For now we have a cold stand by unit. I was wondering if I can change the mac addresses of the standby unit's interfaces to be exactly the same as the primary unit. I see an active/standby mac address section in ADSM, but I think that is used in the automatic failover function.
View 12 Replies View Relatedi have 2 ASA 5505 running 8.3(1) and ASDM 6.3(1).
the first unit is currently working, and i now wish to configure the second unit as standby. im configuring through the ASDM GUI. Started the HA Wizard, choose Active/Standby configuration and enter the IP of the peer device. checks come back all ok. On the LAN link configuration page (step 3of6) Interface is pre selected as VLAN99, I give it a logical name as iface_fail, and enter 10.0.0.1 as primary address and 10.0.0.2 as standby, subnet as 255.255.255.248, and select port Ethernet0/5
Note that if i click on the buttons next to the IP fields, i get IP addresses of remote hosts!.
I recently picked up two ASA5510s (ASA5510-SSL50-K9 & ASA5510-SEC-BUN-K) with intentions of creating an Active/Standy configuration. I'm receiving the error message "Mates' license (2 SSL VPN Peers) is not compatible with my license (50 SSL VPN Peers)", but I was under the impression that I didn't have to buy idential SSL VPN licenses post 8.2 in an Active/Standby configuration. am I missing a step that enables the license transfer(sharing?) feature to work correctly before the failover will build correctly?
View 6 Replies View RelatedI have a problem with failover. On My site I have 2 Firewalls 5580. And I did this configuration on my firewall.interface GigabitEthernet3/0description LAN/STATE Failover Interfacespeed nonegotiate.
View 5 Replies View RelatedI would like to ask you about ASA 5510 (Active/Standby). i have two ASA 5510 and i did configuretion failover and it is working ( Active / Standby) but my issue that when primary donw, the standby unit up to primary but the primary came back the standby unit it not switch to standby ( i mean it still up ) . if i want to primary up i type command ( failover active ) on primary unit , so i don't want use manul command i want it auto.Which command that make ASA failover when primary coma back? [code]
View 2 Replies View Relatedi read that you need only one L-ASA5510-SEC-PL for setting up a Active/Standby Failover. I installed the license on the 1st ASA and tried to setup the failover via the ASDM wizard. It always fails, because the 2nd device can't have a 'base' license.So does this mean, i really need another license?
View 5 Replies View RelatedI'm working on configuring two ASA 5520's in an Active/Standby configuration. I've got almost everything the same between the two units for AnyConnect to work expect the following two items:
AnyConnect Client Profiles
AnyConnect Client Software
If I upload the software manually to the Standby unit I get warning about them not being in sync and on the active unit if I do a 'write standby' it does not copy the profile or software.