HSRP/Etherchannel and Trunks

| Wednesday, June 9th, 2010 | 4 Comments »

This blog is going to be an attempt to lab up one of David Hucaby’s lab scenarios that he posted here: http://dhucaby.wordpress.com/2010/06/04/ccnp-switch-planning-topics/

I’m going to include as much detail as possible so you can follow every step of the way. Since I don’t have all the equipment in David’s scenario, I’m going to be modifying the diagram just a tad bit, but not too much that should throw anyone off.

Feel free to try this out before looking at my configs, it’s actually a pretty fun lab!

Before we begin, here’s the original information from his post:

A company has a network as shown in the network diagram. Switches A and B form the core, while C and D act as distribution switches. Switches A through D are already configured with working links and routing protocols.

Switch E is added into the access layer. It is connected to switches C and D by two uplinks each. Each pair of uplinks should be joined together as a single logical link using a standards-based approach.

Switch E needs to support two distinct groups of users in the Accounting and Engineering departments, to be placed on VLAN 10 and 20, respectively. Each VLAN needs to have a highly available gateway address using the .1 address in the appropriate subnet. The network should be configured such that the Accounting users normally pass over the link between switches C and E, while Engineering users pass over the link between D and E.

Do not change the routing configuration on switches A, B, C, or D, other than to advertise the new Accounting and Engineering subnets. Make sure that all uplinks are functioning and that users in the Accounting and Engineering subnets can ping  the 192.168.199.10 server located in the data center.

And here are the steps to be taken to accomplish this task:

* Create VLANs – VLAN 10 for Accounting and VLAN 20 for Engineering
* VLAN extent – the VLANs should exist on Switch E, where the users live, and also on C and D, where the gateways and routing protocols live.
* EtherChannels – Bundle one pair of uplinks between C and E and another pair between D and E. For a standards-based EtherChannel, we need to use LACP.
* Trunks – VLANs 10 and 20 will need to be carried between switches C and E and between D and E.
* Layer 3 interfaces – We’ll need an interface vlan10 and an interface vlan20 to provide Layer 3 connectivity for the user subnets. Those will be configured on switches C and D.
* HSRP – To get highly available gateways on both VLANs 10 and 20, we’ll need to configure two different HSRP groups.
* HSRP load balancing – The two user groups need to normally pass over different uplinks. We’ll need to tune the HSRP priorities so that the gateways are split across the two distribution switches.
* Routing – We will need to add the new subnets into the network commands for the preconfigured routing protocols on switches C and D.

Before we begin, here’s my newly modified diagram to avoid any confusion with the original. This is what we will be working with.

Step #1: Create the VLAN’s!
Pretty straight forward, go on each switch and identically create VLAN’s 10 and 20.

SWITCH E
————————————-
SW-2950(config)#vlan 10
SW-2950(config-vlan)#name ACCOUNTING
SW-2950(config-vlan)#exit
SW-2950(config)#vlan 20
SW-2950(config-vlan)#name ENGINEERING
SW-2950(config-vlan)#exit

*note – We now apply some interfaces to each VLAN.

SW-2950(config)#int range fa0/9 – 16
SW-2950(config-if-range)#switchport access vlan 10
SW-2950(config-if-range)#exit
SW-2950(config)#int range fa0/17 – 24
SW-2950(config-if-range)#switchport access vlan 20
SW-2950(config-if-range)#exit

SWITCH C
————————————-
SW-3550-01(config)#vlan 10
SW-3550-01(config-vlan)#name ACCOUNTING
SW-3550-01(config-vlan)#exit
SW-3550-01(config)#vlan 20
SW-3550-01(config-vlan)#name ENGINEERING
SW-3550-01(config-vlan)#exit

SWITCH D
————————————-

SW-3550-02(config)#vlan 10
SW-3550-02(config-vlan)#name ACCOUNTING
SW-3550-02(config-vlan)#exit
SW-3550-02(config)#vlan 20
SW-3550-02(config-vlan)#name ENGINEERING
SW-3550-02(config-vlan)#end

Step #2: Configure Etherchannel
We set the 2950 access layer switch to passive mode. This way we end up creating the standard LACP protocol which is what the scenario asks for. The distribution layer switches (C & D) will then be set to active mode to force LACP protocol. Only the 2950 switch needs to have two port-channel groups.


SWITCH E (CREATE ETHERCHANNEL GROUPS 1 AND 2)
——————————————————————–
SW-2950(config)#int port-channel 1
SW-2950(config-if)#description CHANNEL-GROUP-1
SW-2950(config-if)#exit
SW-2950(config)#int port-channel 2
SW-2950(config-if)#description CHANNEL-GROUP-2
SW-2950(config-if)#exit

SW-2950(config)#int fa0/1
SW-2950(config-if)#channel-group 1 mode passive
SW-2950(config)#int fa0/2
SW-2950(config-if)#channel-group 1 mode passive

SW-2950(config)#int fa0/3
SW-2950(config-if)#channel-group 2 mode passive
SW-2950(config)#int fa0/4
SW-2950(config-if)#channel-group 2 mode passive

SWITCH C (CREATE ETHERCHANNEL GROUP 1)
——————————————————————–
SW-3550-01(config)#int port-channel 1
SW-3550-01(config-if)#description GROUP-CHANNEL-1
SW-3550-01(config-if)#exit

SW-3550-01(config)#int fa0/1
SW-3550-01(config-if)#channel-group 1 mode active
SW-3550-01(config-if)#exit

SW-3550-01(config)#int fa0/2
SW-3550-01(config-if)#channel-group 1 mode active
SW-3550-01(config-if)#exit

SWITCH D (CREATE ETHERCHANNEL GROUP 2)
——————————————————————–

SW-3550-02(config)#int port-channel 2
SW-3550-02(config-if)#description CHANNEL-GROUP-2
SW-3550-02(config-if)#exit

SW-3550-02(config)#int fa0/1
SW-3550-02(config-if)#channel-group 2 mode active
SW-3550-02(config-if)#exit

SW-3550-02(config)#int fa0/2
SW-3550-02(config-if)#channel-group 2 mode active

Step #2a: We now go back to Switch E to verify port channel groups 1 & 2
(to keep the output short, I’m only showing what’s important)
SW-2950#sh int p1 etherchannel
Port-channel1   (Primary aggregator)

Number of ports = 2
Protocol  =   LACP

Ports in the Port-channel:

Index   Load   Port     EC state        No of bits
——+——+——+——————+———–
0     00     Fa0/1    Passive            0
0     00     Fa0/2    Passive            0

SW-2950#sh int p2 etherchannel
Port-channel2   (Primary aggregator)

Number of ports = 2
Protocol   =   LACP

Ports in the Port-channel:

Index   Load   Port     EC state        No of bits
——+——+——+——————+———–
0     00     Fa0/3    Passive            0
0     00     Fa0/4    Passive            0

Also it’s important to check the actual port-channel interface status.

SW-2950#sh int p1
Port-channel1 is up, line protocol is up (connected)
Hardware is EtherChannel, address is 0007.eca9.e981 (bia 0007.eca9.e981)
Description: CHANNEL-GROUP-1
MTU 1500 bytes, BW 200000 Kbit, DLY 1000 usec,

Members in this channel: Fa0/1 Fa0/2

SW-2950#sh int p2
Port-channel2 is up, line protocol is up (connected)
Hardware is EtherChannel, address is 0007.eca9.e984 (bia 0007.eca9.e984)
Description: CHANNEL-GROUP-2
MTU 1500 bytes, BW 200000 Kbit, DLY 1000 usec,

Members in this channel: Fa0/3 Fa0/4

Notice the BW shows 200000 Kbit and also the Members in the channel. This helps to further verify your etherchannel is properly configured.

Step #4: Configure HSRP
What we want do here is load balance the traffic from both VLAN’s as well as provide gateway redundancy. By configuring the priority settings in HSRP, we can direct primary VLAN 10 traffic to Switch C and VLAN 20 traffic Switch D. Each switch will then be the standby gateway for each other in case one fails.

CREATE ACTIVE GATEWAY ON SWITCH D FOR VLAN 20
SW-3550-02(config)#int vlan 20
SW-3550-02(config-if)#ip address 192.168.20.2 255.255.255.0
SW-3550-02(config-if)#standby 20 ip 192.168.20.1
SW-3550-02(config-if)#standby 20 priority 110
SW-3550-02(config-if)#standby 20 preempt
SW-3550-02(config-if)#standby 20 auth cisco

CREATE STANDBY GATEWAY ON SWITCH D FOR VLAN 10
SW-3550-02(config)#int vlan 10
SW-3550-02(config-if)#ip address 192.168.10.3 255.255.255.0
SW-3550-02(config-if)#standby 10 ip 192.168.10.1
SW-3550-02(config-if)#standby 10 priority 100
SW-3550-02(config-if)#standby 10 preempt
SW-3550-02(config-if)#standby 10 auth cisco

CREATE ACTIVE GATEWAY ON SWITCH C FOR VLAN 10
SW-3550-01(config)#int vlan 10
SW-3550-01(config-if)#ip address 192.168.10.2 255.255.255.0
SW-3550-01(config-if)#standby 10 ip 192.168.10.1
SW-3550-01(config-if)#standby 10 priority 110
SW-3550-01(config-if)#standby 10 preempt
SW-3550-01(config-if)#standby 10 auth cisco

CREATE STANDBY GATEWAY ON SWITCH C FOR VLAN 20
SW-3550-01(config)#int vlan 20
SW-3550-01(config-if)#ip address 192.168.20.3 255.255.255.0
SW-3550-01(config-if)#standby 20 ip 192.168.20.1
SW-3550-01(config-if)#standby 20 priority 100
SW-3550-01(config-if)#standby 20 preempt
SW-3550-01(config-if)#standby 20 auth cisco

Step #5: Router Configuration
We must now advertise our newly created subnets to the rest of the network.

Since I’m not entirely sure what routing protocol is used, I’m assuming it would either be EIGRP or OSPF. Since the scenario seems to be going with an open standard theme, I’m going to choose OSPF. All we’re going to do is add the two networks to our OSPF configuration so it can properly advertise them. (192.168.10.0 and 192.168.20.0)

Just configure this on both switches.

SW-3550-01(config)#router ospf 1
SW-3550-01(config-router)#network 192.168.10.0 0.0.0.0 area 0
SW-3550-01(config-router)#network 192.168.20.0 0.0.0.0 area 0
SW-3550-01(config-router)#end

SW-3550-02(config)#router ospf 1
SW-3550-02(config-router)#network 192.168.10.0 0.0.0.0 area 0
SW-3550-02(config-router)#network 192.168.20.0 0.0.0.0 area 0
SW-3550-02(config-router)#end

Step #6: PING verification
What we want do here is ping the SVI interface for each VLAN, and then ping through that SVI to get to the 192.168.199.10 server that is hanging off somewhere in the distribution layer.

RTR-1720 resides on VLAN 20.


What I wanted to do was ping both physical interfaces as well as the active gateway interfaces. Notice the first ping didn’t go through, due to ARP’ing. It eventually finds it’s way to the correct SVI.

RTR-1720#ping 192.168.20.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
RTR-1720#ping 192.168.20.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
RTR-1720#ping 192.168.20.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

RTR-1811 resides on VLAN 10.

Again notice the first pings don’t go through, due to ARP’ing. They eventually find their way to the correct SVI.

Router#ping 192.168.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms

Router#ping 192.168.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
Router#ping 192.168.10.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms

PING HOST 192.168.199.10
I contacted David to find out what he had in mind for this host and network. Basically, he just wanted to be able to have the end user traverse its SVI and gain reachability to this network via the distribution server.  So I went ahead and created a layer 3 switchport (routed port) on one of the interfaces of the sw-3550-01 and sw-3550-02 switches and pings were successful from any host on VLAN 10 or 20.

Because I was running out of L3 switches, I modified the layout a bit. Instead of of the core switches (A & B) I replaced them with one switch.  A basic 2912XL switch in the middle which both switch C & D connected to. I then connected a 3620 router to it and gave its ethernet 0/1 interface the ip address 192.168.199.10.

SW-3550-01(config)#int fa0/11
SW-3550-01(config-if)#no switchport
SW-3550-01(config-if)#ip address 192.168.199.1 255.255.255.0
SW-3550-01(config-if)#no shut

SW-3550-02(config)#int fa0/11
SW-3550-02(config-if)#no switchport
SW-3550-02(config-if)#ip address 192.168.199.1 255.255.255.0
SW-3550-02(config-if)#no shut

*note – I did not have both distribution switches UP during this testing. This was my way of testing that both VLAN’s can get to 192.168.199.10. Which they were able to. It also tested and re-confirmed that HSRP was working.

Conclusion

This was an extremely fun lab to configure. Hopefully others out there can slap a lab together like this and play with the configs. It’s quite a doozie and covers a lot of topics in one shot. It’s quite a learning experience and definitely worthy of labbing out. You’ll quickly realize what you know and what you “think” you know. In any event, I believe I have configured this lab to the best of my abilities with regards to available equipment. I hope to be able to do many more labs down the road!

If anyone has any questions or comments please let me know! (especially if there are any typos or mistakes)


Share
  • Pingback: Peer Review - TechExams.net IT Certification Forums()

  • ciscokid

    Hi Brandon,

    Thanks for posting this up. I am following David's blog and looks like I will also be following yours from now on.

    I have one quick question, please forgive me if I have missed something, but your 4th point says “Trunks” and I cannot see any switchport mode trunk configuration commands in your example. Should these be in here or are they not needed as you have configured the etherchannel between the switches?

  • brandontek

    Hi,

    Thanks for the comments and good catch! The switchports were all left at default settings. So this meant their modes were “dynamic desirable”. So by connecting the endpoints together, the trunks naturally formed.
    Since we created the port interface for the etherchannel, I believe if you were to issue the command “sh int trunk”, it would show you the ports that are trunking which would be P1 and P2.

    Hope that helps and I should have clarified that in the post.

  • Pingback: Peer Review | IT Certification()