VRRP

Similar Questions

• VRRP on 6224

  I read the Protocol VRRP implementation documents, and it seems pretty simple. The question I have is this:

  The switch updates the configuration of the backup/slave switch automatically when changes register to the startup-config? I basically just want to have a relief, I can move the cables in case of fault or failure of the main switch. I have not redundant L2/L3 in place as indicated in the documentation. If VRRP is not the way to go, I would like to just tips on how I can have the secondary switch receive config of switch without having to change the config at once, each time a change is made. Maybe I don't know what this is called.

  Any help would be appreciated!

  see you soon,

  Tim

  One option is to stack the switches.  You always have the paths of physical connection on two physical switches.  Where we went down, and then the other would still be online and passing traffic.

  In a stack, the config is updated when the similar to the process of VRRP backup.

• Design of switching two ISP and HSRP/VRRP

  Hey Cisco community,

  We have two ISP currently in use, divide us its routes to two routers with a sleep using HSRP active routers and also try VRRP. But the passive router / Eve cannot receive all packages in other ways we are testing using route determination.

  Is it possible to activate the active HSRP/VRRP configuration so that when a router is in standby mode or passive it can still receive packets from other routers.

  Please do not hesitate to suggest or comment

  Thank you

  Hello
  standby-passive router just wait for failure of the active router and then take the notes the active role.

  Try using GLBP (Gateway Load Balance Protocol) which can achieve what you mentioned above.

  Or you can configure two groups VRRP and 1 group first active router and 2nd group the second router will be active. And then, you statically configure hosts on the network who should use what virtual gateway. This isn't a smart solution.

  HSRP can balance only at the level of VLAN. This means that you need to divide your customers into multiple VIRTUAL LANs.

  Please anyone correct me if I'm wrong.

• Of VPN3000 VRRP

  Dear all,

  VPN3000 does support active VRRP?

  I am aware that the default is VRRP Active-Standby.

  Kind regards

  It is the owner. Only cisco vpn clients are load-balanced, although all members of load balancing clusters (not load balanced) accept any other connection on their own.

  Kind regards

• Issue of ASR9K - Upgrade 4.2.3 to 4.3.4 - VRRP

  Hi all

  After upgrading 4.2.3 to 4.3.4 when faulty configuration checking, I found the following question about VRRP:

  RP/0/RSP0 / CPU0:A9K - #sh configuration LAB02 failed start
  Mon May 5 16:24:19.094 WEST
  !! 15:13:09 UTC Monday, may 5, 2014
  !! The SEMANTIC ERRORS: This configuration was rejected by
  !! the system due to semantic errors. The individual
  !! errors with each configuration command has failed can be
  !! found below.
  
  router vrrp
  interface TenGigE0/0/0/0.3701
  ipv4 address family
  VRRP 1
  priority 200
  !! % "vrrp" detected the condition 'Warning' "Virtual MAC already in use on this port"
  timer 1
  !! % "vrrp" detected the condition 'Warning' "Virtual MAC already in use on this port"
  address 200.100.1.100
  !! % "vrrp" detected the condition 'Warning' "Virtual MAC already in use on this port"
  !
  !
  !
  !
  End

  According to bug CSCed75140, I expect this problem to be solved from 4.3.0...

  Any idea?

  THX,

  Pedro

  Pedro,

  There must be a bug missunderstand you cite is to improve the notification of error with this unsupported configuration, it does not the config caught in charge. Some details on this question since the release of bug notes:

   Problem Symptom: In a router running IOS-XR, configuring the same virtual router id(VRID) on multiple sub-interfaces of the same physical interfaces is NOT supported for HSRP/ VRRP Workaround: Use different virtual router id for the different sub-interfaces of same physical interface Further Problem Description: Example of unsupported config:  router vrrp interface GigabitEthernet0/5/0/38.175 vrrp 1 ipv4 10.186.0.1 ! interface GigabitEthernet0/5/0/38.176 vrrp 1 ipv4 10.186.0.9 ! !  If you have two groups configured with the same virtual router id, this means that they have the same virtual MAC address (as this is derived from the virtual router ID). When VRRP is in Master state, it installs an entry for it's virtual MAC in to the MAC filter for the interface over which it is running. However, it is not possible to program the MAC filter per sub-interface. Therefore if VRRP is running over a sub-interface it is the MAC filter of the underlying physical interface which is actually programmed (although VRRP has no way of being aware of this). If using the unsupported configuration, you have two Master groups with the same virtual MAC address on sub-interfaces of the same physical interface. In this case there will only be one MAC address installed in the filter of the physical interface. When one of these groups is removed by configuration or it transitions out of Master state, it removes its virtual MAC address from the MAC filter of the underlying physical interface meaning there is now no MAC address installed at all and the VRRP feature for the remaining Master group will no longer work. The root cause of the problem is that the MAC filter cannot be programmed per sub-interface.

• 3xSG500X-24 VRRP and G 10 GAL/BATTERY

  Hi, im interested to know if the following construction sensible and feasible:

  1. 3 SG500X interconnected via Cable SFP + 10 3 onto the stack. This is to get maximum troughput and unique management over all ports switch
  2. VRRP configuration on the 3 switches. This is to get a setup of router / Vlan redundant
  3. Connect 3-host ESX each with a dual port 10 GB SFP + for the switches. This configuration of ESX HA, so in the case 1 switch or 1 host fails the virtual machines will still be available (if failed host for all users, in the event of a failure of the switch for all users less users of the switch failed...

  

  4. If the schematized above scenario is possible, is there a way to control the bandwithd on ports of the battery to avoid saturation on the side of esx?

  Thanks for all the answers helpful and sorry for my English...

  Ulrich, you can set a limit for frequency of entry and exit.

  config t

  interface xg1/1/1

  rate-limit-

  In addition, it is access via GUI QOS-> General-> bandwidth

  -Tom

• L2TP/IPSec and VRRP on Cisco VPN3000

  Hello. I don't know if this is the right forum, please excuse me if this is not (of course a pointer to the right we'd appreciate it :)

  I'm experimenting with the implementation of VPN 3000 Concentrator series VRRP, and it seems that when the unit of "backup" takes over, no L2TP/IPsec tunnel can be established more.

  When the switch takes place, the backup device takes over VRRP group IP addresses, which are the IP address of the master own as well on VPN 3000. Thus, the backup unit manages two different IP addresses, its own ad group.

  Well, what I observed using a sniffer is that while the IKE/IPSec packets come well to the group address, L2TP packets are by IP address of the backup device physical and clear instead of be encapsulated in IPSec travel packages. The client computer (PC Windows 2000) clearly ignores the L2TP packets and no L2TP/Ipsec tunnel can be established. PPTP tunnels work, however.

  The foregoing does not occur when the VPN 3000 master works, like the VRRP group addresses are the same as its own interface addresses.

  Now, VPN 3000 documentation or TAC documents explicitly say that L2TP/IPSec and VRRP are incompatible, but they do not mention compatibility as well (although they do mention the VRRP Protocol PPTP compatibility).

  Did someone better informed than me? Is there a technical reason for the incompatibility between L2TP with VRRP, or it's a bug any?

  Thank you

  Roberto Patriarca

  This has proved quite recently and a high severity bug has been open about it and is currently under review.

  See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeb77328&Submit=Search for more details.

  Nice work well in the survey.

• VRRP with (er) strong authentication?

  It seems that IOS supports currently VRRP with simple text password authentication, only. Can a person from development comment on when we might see the stronger IP Authentication Header variant for VRRP security in IOS?

  You are right regarding the current VRRP with simple text password authentication. MD5 encryption supported VRRP version 2 will be integrated into the IOS around 2nd semester 2003.

  Thank you

  Christophe

• Redudancy VPN 3030 VRRP.

  Hello

  So I read on the redudancy VRRP 3030 in the example that I see on the site Web of Ciscos http://www.cisco.com/warp/public/471/vrrp.html it seems that I only need two ip addresses. The main hub uses both ip VRRP addy for its own interfaces and the actual address of VRRP. Where as the backup hub watches the VRRP address and guess what addy when it no longer, but he still has is own ip address for its interfaces.

  I can see the three address used for VRRP for ip address, virtual and two others for the physical interfaces on the segment. Has anyone else done this and I read this right?

  Unfortunaly I really do test this with the exception of a brief outtage window and want to make sure I have everything well.

  Thanks for the replies and I will note all.

  Patrick

  You read it right. I made a couple of these deployments, you can follow this guide to the letter.

• For the button routing rules backup in a VRRP/configuration topology

  Hello

  I would like to know which is the best solution to the following:

  A switch (5412zl) has a static route based 0.0.0.0 common to the firewall.
  The main switch is directly connected to the firewall via a standard rj-45 network cable.

  Should what type of routing configuration I on the emergency switch, so that the traffic passes to the firewall if the switch is not available?

  Thanks in advance for your help.

  Hello:

  You can also ask your question in the Forum of HP Business - section LAN routing Support

  http://h30499.www3.HP.com/T5/LAN-routing/BD-p/LAN-routing-Forum#.U5eFAP1OXGg

  or ProCurve switches section / focus on delivery.

  http://h30499.www3.HP.com/T5/ProCurve-provision-based/BD-p/switching-e-series-Forum#.U5eFL_1OXGg

• Topology change syslog, how to disable messages?

  I have a number of switches BNT/Lenovo (8124, 8052, 8264) and all are connected to our central syslog server. I have quite a few switches in the same vlan, and I get a lot of topology messages of change like this:

  2016 03-11 T 05: 39:01.143556 - 07:00 Mar 11 05:39:07 switch-1 ALERT switch OS : STG 44, changing topology detected

  I don't necessarily need to see this. I would like to delete this message without Gohan other messages such as the STP root bridge changes. Is this possible? These seem to be my options from the side of the switch:

  8052b Journal (config) #logging?
  all all
  BGP BGP
  cfg Configuration
  cfgchg Configuration change notify
  CLI command line interface
  Console Console
  difference of Configuration monitoring difftrak
  dot1x 802. 1 x
  failover failover
  Hyperlinks Hotlinks
  IGMP IGMP-Group
  IGMP-mrouter IGMP mrouter
  applicant applicant IGMP IGMP
  IP Internet protocol address
  IPv6 IPv6
  LACP Link Aggregation Control Protocol
  system port link
  LLDP LLDP
  management management
  MLD MLD
  NETCONF NETCONF Configuration Protocol
  Time protocol NTP network
  OpenFlow enable logging of Protocol Openflow
  OSPF, OSPF
  OSPFv3 Ospfv3
  private - vlan, private VLAN
  RMON remote monitoring
  Syslog server server
  SLP Service Location Protocol
  Spanning-tree-group group Spanning tree
  SSH Secure Shell
  System
  Vlag Virtual Link Aggregation
  VLAN, VLAN
  VM Virtual Machine
  VRRP Virtual Router Redundancy Protocol
  Web Web

  I looked in the CLI guide for "journal of logging", but all I get is the following:

  [None] Journaling log []
  Displays a list of the features for which syslog messages can be generated. You
  can choose to turn on or off specific features (such as VLANs, stg, or ssh).
  or enable/disable syslog on all available functions.
  Control mode: global configuration

  There is no detail on the option does what exactly.

  I know that I probably can filter messages from syslog server-side but I would rather start the level for the switch.

  Thank you.

  Today, there is no way to delete these specific messages.

  They should not be too many and are often very useful to determine the cause of a failure.

  In order to reduce drastically the TCN BPDU is to put all the host ports such as 'edge' or 'portfast '.

  This setting prevent BPDUS and messages production when a host disconnect or connect to the switch.

  Then, only the 'real' TCN is recorded and useful for diagnosis.

  Ciao, Maurizio.

• As redundant N3024 switch configuration

  Dear all,

  Hi, I just get N3024 Dell as a main switch and X 1026 access.

  I try to create the topology like this:

  

  VLAN 10: 10.10.10.xxx/24

  VLAN 20: 20.20.20.xxx/24

  VLAN 30: 30.30.30.xxx/24

  VLAN 40: 40.40.40.xxx/24

  Just try using the interface vlan each switch.

  Switch:

  IP routing

  interface VLAN 10

  10.10.10.1/24 IP address

  The interface VLAN 20

  20.20.20.1/24 IP address

  The interface VLAN 30

  30.30.30.1/24 IP address

  Interface port 2

  switchport mode trunk

  B switch:

  IP routing

  interface VLAN 10

  10.10.10.2/24 IP address

  The interface VLAN 20

  20.20.20.2/24 IP address

  The interface VLAN 30

  30.30.30.2/24 IP address

  I think that my config is far from complete and not best practices...

  My question is, what should I configure on each N3024 Dell, so all them VLAN can connected to the Internet? (can create the support for the ip address of the Sonic Wall port)

  Please please need your help.

  Thanks before.

  -The VRRP VLAN must be the same on both switches.

  -That the master switch must have control of the track in place.

  -The connection between the switch and the firewall must be that it is own VLAN and does not part of VLAN VRRP.

  Here is a diagram that I put in place, it could help clear up some confusion.

  

• VLAN voice N3048P and DHCP issues

  Hello

  I just received several switches for our N3048P and 2 x 4048 access layer - WE for our base layer. Are the N3048P VLT'd between two of 4048. There are 4 x N3048P of one on the other. The 4048 possess all gateways via VRRP.

  I have 802. 1 x works with my Windows client test, and I can get the phone (Cisco 7941) to acquire a DHCP address if I put it on a port "switchport mode access. However, if I change the port to a general port with vlan enabled voice and 802. 1 x, the phone does not have a DHCP address, but the PC attached to the phone Gets a DHCP address in the VLAN correct.

  I see CDP and LLDP messages exchanged via Wireshark, and it seems that the phone and the switch are to exchange the VLAN voice correctly.

  My question is, why the phone can't one address DHCP?

  Here's the relevant config of switch below. I know that some of the config can be duplicated for troubleshooting steps:

  VLAN 75
  the name 'Test '.
  output
  VLAN 76
  name "Test_Phones".
  output

  IP helper-address 1.1.1.3 dhcp
  IP helper-address 1.1.1.4 dhcp

  interface vlan 75
  IP 172.16.75.4 255.255.255.0
  IP helper 1.1.1.3
  IP helper 1.1.1.4
  output
  interface vlan 76
  IP 172.16.76.4 255.255.255.0
  IP helper 1.1.1.3
  IP helper 1.1.1.4

  AAA authentication local connection to "defaultList".
  radius of start-stop AAA accounting dot1x default
  control-dot1x system-auth
  radius AAA dot1x default authentication service
  AAA authorization network default RADIUS

  VLAN, VoIP

  source-ip 172.16.75.4 RADIUS server
  Server RADIUS 'key' key
  RADIUS-server host 1.1.1.1 auth
  primary
  name "rad1.
  use of 802. 1 x
  key 'key '.
  output
  RADIUS-server host 1.1.1.2 auth
  name "rad2.
  use of 802. 1 x
  key 'key '.
  output
  Server RADIUS acct 1.1.1.1 host
  name "rad1.
  output
  host server RADIUS acct 1.1.1.2
  name "rad2.
  output

  Gi2/0/1 interface

  Description '802. 1 x client port.
  spanning tree portfast
  spanning tree guard root
  switchport mode general
  switchport general allowed vlan add 75-76 the tag
  dot1x re-authentication
  dot1x quiet-period 5
  dot1x tx-period 5
  dot1x comments - vlan 20
  dot1x Informati-vlan 20
  LLDP transmit tlv ESCR-sys sys - cap
  LLDP transmit-mgmt
  notification of LLDP
  LLDP-med confignotification
  VLAN voice 76
  disable voice vlan auth
  output

  Thanks for any input you may have. I would like to know if there is any other information, I can provide.

  -Jason

  That ends up being the correct port configuration:

  Gi2/0/1 interface

  Description '802. 1 x client port.

  spanning tree portfast

  switchport mode general

  switchport General pvid 75

  VLAN allowed switchport General add 75

  switchport general allowed vlan add 76 tag

  dot1x port-control on mac

  dot1x re-authentication

  dot1x quiet-period 5

  dot1x timeout supp-timeout 15

  dot1x tx-period 5

  dot1x comments-vlan-deadline 15

  dot1x comments - vlan 20

  dot1x Informati-vlan 20

  VLAN voice 76

  disable voice vlan auth

  The most important line here is «the dot1x port-control on mac» I got 'auto control by port dot1x' configured, but it does not work as expected. In addition, defining the comments-vlan-period and supp-timeout were necessary. If the port was shot, the switch would not necessarily reauth port.

• S4048-ON - MLAG Question

  From the world of Cisco, I wanted to put two S4048s in a VSS mode.  Dell touts the MLAG via VLT abilities, but as far as I can tell, it is analogous to the Cisco Nexus VPC.  I'm therefore looking to separate control/management plans.  It is not possible to rethink the VSS as capabilities?  The reason why I ask, is I'm looking for high-times.  If I get only L2 abilities off SUVS, so I run VRRP between switches, but I am concerned about the convergence time.  I have not messed with VRRP a lot, but I was pretty happy with HSRP 2 convergence.  I can foresee periods of weak convergence with VLT + VRRP or should I consider going with a configuration of the stack instead?  Also, I used Cisco enough that I met of numerous warnings "featured".  Any configuration warnings, should I be aware of cases using the VLT or stacking?

  Well, I answered my question after his arrival in the whole of the additional documents (VLT).  What I'm looking for is "peer routing", which denies the necessity of VRRP.  If the two switches will actively transmit packets, instead to pass traffic through the VLTi.  There should not be problems of convergence as a result.  This is similar to Cisco VSS AFAIK, except control plans are separated on the side of Dell.

  I am still confused but problems with devices monoresident; See my post above.  I guess I can lab this place, but it is not clear in a scenario of equal routing, if these devices will be a problem.

• PowerConnect 6200 ACL does not seem to work

  Hello

  I have a total of four 6248 s two groups at different locations that are configured with VRRP + OSPF.  I tried to set up a simple ACL on either a VLAN to allow a portion of the traffic and block everything else, but I can't make it work.  I have tried many combinations to try to get this working, but so far without success.  It's just a simple ACL, which should allow the web/http traffic on the 10.1.30.100 server and blocks everything else.

  The only type of ACE that seem to work are either a "deny ip any any" or "permit ip any any" If you try an ACE with a destination host and subnet mask 0.0.0.0 it's just all this blocking.  Has anyone else had problems of the ACL or is it just my incompetence in preventing me from getting the 6200 ACL work properly?  I didn't have this problem, get the ACL list to work on our Cisco 2811 routers, just at the moment where I tried on the PC6248s.

  1. config
  2. int vlan 720
  3. no ip-group vlan720-in in access
  4. output
  5. No list of access-vlan720-en
  6. access-list vlan720-in permit tcp any 10.1.30.100 0.0.0.0 eq 80
  7. int vlan 720
  8. IP access-group vlan720-in in
  9. output
  10. output
  11. copy, run start
  12. There

  Just an update on this issue.  I worked with Dell to determine why the ACL does not seem to work.  We discovered that the 6200 apply ACL to the traffic as a VLAN ACL Cisco card as opposed to a router ACL entry.  This causes the ACL to apply to not only routed or transferred but also traffic switched in the same VLAN.

  This has been the source of my problems that my traffic is not limited to a single 6200.  I developed a simple laboratory to check that the 6200 applied traffic switched in the same VLAN ACL.

  First the 6200 has one ACL applied to VLAN5 both PC1 and PC2 are in VLAN 5.  They are both on the same subnet 192.168.5.0/24.  The ACL has a statement of "permit icmp any one" but nothing else.  The PC1 and PC2 are running Windows XP Pro with IIS is installed for the test.  The firewall on both is disabled.

  PC #1 IP: 192.168.5.2/24
  PC #2 IP: 192.168.5.3/24

  [6200]
  |    |
  |    |
  |   [2950T #2] <-->[PC #2]
  |
  |
  [2950T #1] <-->[PC #1]

  In this scenario PC1 and PC2 can ping each other without problem because of the permit icmp any any statement, but you cannot access the IIS site on each of the other computers.

  Dell said that this is normal and if you want communication VLAN VLAN you 'license ip ' to make it work properly.  I also found that traffic back from other VLANs were also denied because of the ACL applied on all of the incoming traffic.  As a solution, the license statement should be included for ALL traffic back to the limited subnet other subnets.  So in this case "ip enable any ".

  I find it a bit annoying that ACL is applied in the form of maps of VLAN not like real incoming router ACL as they are on similar Cisco devices as the 3750.  So there is a work around.  I hope they can solve the problem in a future update, because I really think that the 6200 is a great device.

  Here you can see the difference between VLAN ACLs cards and router entry ACL where they are applied in what concerns local traffic to VLAN.
  http://www.Cisco.com/en/us/docs/switches/LAN/catalyst3750/software/release/12.2_25_see/configuration/guide/swacl.html#wp1572522