Cisco ISR Failover – High Availability LAN Segment with Cisco ISR4451X and Netgear GS724

ciscofailoverlayer2spanning tree

I have a customer that is getting a new 1Gbps ISP connection and wants his servers connected across two switches for redundancy and protection from:

failure of a router port
failure of a network cable
failure of a switch
failure of a power supply to a switch

Network architecture:

The router is a Cisco ISR4451X with latest IOS 16.7.1, the switches are Netgear GS724Tv4 and the servers are modern Dell boxes running Ubuntu 16.04 LTS.

The Ubuntu boxes uses the 'bonding' driver with the two gigabit interfaces (eth0, eth1) providing a bonded/teamed interface bond0. The bonding interface is configured for high availability, not throughput.

The network has to run dual stack with public IPv4 and IPv6 but there is no requirement for VLANs.

What's the best approach to configure this on the ISR4451X? The obvious choices appear to be:

Redundant interface (but we're going into different switches)
Port-Channel
Bridge Domain Interface (BDI)
Bridge Virtual Interface (BVI)

The goal is to protect against all of the failure modes and avoid MAC address flapping. It shouldn't matter which leg of the bond0 interface the Linux box uses to communicate the packet should find its way back without duplication or drops.

The connections between the ISR4451X and each GS724Tv4 will use the SFP ports (port 23) and the interconnect between the switches can use SFP on port 24. These connections can be in access port or trunk port mode and with or without LACP.

Can someone recommend the best approach?

Mike

Best Answer

Configuring the router with a BVI interface seems to make the most sense. You can't use a port channel, and BDI is for IOS-XE routers. Make the router the root of the spanning tree.

Related Solutions

Cisco – Configure Cisco Aironet 1600 AP with RADIUS and multiple VLANs

One way to solve this problem is to change the AP connection to a layer 2 trunk with both VLANs on the trunk. You can have two different SSIDs (one for users, one for guests) and each SSID is associated with a VLAN. When a client connects to the Guest SSID, her data goes on VL 200; a regular user's data goes on VL 100.

You will need separate DHCP scopes for each VLAN, either on the AP or a central DHCP server.

Cisco Stacks – Resolving RSTP Blocking on Uplink Ports

First of all you may want to remove the unnecessary spanning-tree configuration on your secondary uplink. STP calculates the cost metric based on the link speed. Your 100Mbit/sec CU uplink has a default cost of 19 and your primary 1Gbit/sec SM Fibre uplink got a cost of 4, so no need to set it manually.

You may also remove the "access vlan configuration" since your trunk configuration with native vlan 666 will be preferred. Also change your allowed vlan configuration to match the primary link. I do not know which vlans you actually use, but inconsistency may become a big pain in case your primary link fails.

 interface GigabitEthernet2/0/28
 description "downlink trunk BldgB 100M-Backup"
 switchport access vlan 666              -> unnecessary
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 666
 switchport trunk allowed vlan 2-99,101-109,111-4094
 switchport mode trunk
 switchport nonegotiate
 shutdown
 speed 100
 duplex full
 spanning-tree vlan 99 port-priority 128 -> unnecessary
 spanning-tree vlan 99 cost 50           -> unnecessary
end

An interesting counter from Gi1/0/28 (Site A) are the input errors on the interface. Might be a layer 1 issue but since you do not have any crc errors and the realibility is 255/255 it may be due to repluging cables.

Since there are no obvious configuration issues I would recommand re-enabling the port and posting the output of:

Site A:

show spanning-tree interface gi1/0/28
show spanning-tree detail

Site B:

show spanning-tree interface gi2/0/1
show spanning-tree detail

Last but not least could you provide the following information:

Which IOS release are you running on the stacks?
Does your Service Provider provide transparent L2 services (BPDUs received on both sides? ... you may check if CDP packets are received on both sites via show cdp neighbors)

Related Topic

Cisco 4331 – High Availability Configuration in Cisco 4331 Routers