I'm hoping there's an easy answer for this, as I'm not a layer 3 protocol
expert;
I have two Cat 6506's running the Native IOS 12.1(5a)E1 software. They are
connected to each other via a layer 2 802.1q trunk, and are both connected
to each distribution switch (below them, in the topology) via 802.1q trunks.
Your classical multilayer "building block". Layer 3 SVI (VLAN interfaces)
are being used to provide gateways for hosts in each VLAN. HSRP is being
used to provide a redundant gateway for each VLAN's hosts.
Load balancing is achieved by using PVST+ spanning-trees and a simple
design; odd numbered VLANs use routing switch "mls1" as their HSRP master
and spanning-tree root bridge, i.e.,
spanning-tree vlan 101 root primary diameter 4
int vlan 101
standby 101 ip 1.2.3.4
standby 101 timers 1 3
standby 101 priority 200 preempt
goes on mls1. mls2 has "root secondary", and "priority 100 preempt" to make
it the backup for that VLAN.
Even numbered VLANs are handled the other way around.
Sofar, so good.
Next I want to use reflexive ACLs to provide basic security to hosts in
these VLANs. On my SVI, I have at very simplest:
int vlan 101
ip access-group vlan101-out out
ip access-group vlan101-in in
ip access-list extended vlan101-in
permit ip any any reflect vlan101-temp
ip access-list extended vlan101-out
evaluate vlan101-temp
deny ip any any log
Since mls1 handles HSRP in normal circumstances for SVI vlan101, the
vlan101-temp list on mls1 is populated. On mls2, the list remains
essentially empty (there's a multicast group entry in there on port 1985
udp, though).
Of course, since my ospf router has:
router ospf 100
redistribute connected subnets
redistribute static subnets
passive-interface vlan101
etc
We get a multipath effect for routers attempting to reach the network for
VLAN 101. Since some packets come in mls2, they are dropped (nothing in the
vlan101-temp on mls2 to allow them back in).
How can I require that the traffic leaving mls1 due to HSRP arrive via mls1.
I imagine I want to use "ip ospf cost" on the Switch VLAN interfaces
(vlan101), but how do I take advantage of this since I'm doing "redistribute
connected". Do I ditch "redistrbute connected" from my OSPF router config,
and place every VLAN's network in a "customer nets" OSPF area? Will this
allow the OSPF path cost to have the effect I want?
e.g.
mls1:
int vlan 101
ip address 1.2.3.4 255.0.0.0
ip ospf cost 1
router ospf 7496
no redistribute connected subnets
network 1.2.3.4 0.255.255.255 area 5
mls2:
int vlan 101
ip ospf cost 10
router ospf 7496
no redistribute connected subnets
network 1.2.3.4 0.255.255.255 area 5
Will this do what I'm after?
afort
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:30 EDT