Campus
Resilience Lab

Full shutdown of DSW-1 via interface range to test HSRP failover, STP reconvergence, and OSPF neighbor loss simultaneously. DSW-2 transitioned from Standby to Active for VLANs 10, 30, and 50 within the HSRP hold timer (~10 seconds). STP elected DSW-2 as root for all VLANs (inheriting its secondary priority of 8192). ASW-1's root ports shifted entirely to Po5 (to DSW-2). OSPF on CORE-1 lost the DSW-1 neighbor after the 40-second dead timer, dropping to a single next-hop via DSW-2.

The clearest proof point was the traceroute first-hop shift: before the failure, PC1's first hop was 10.1.10.2 (DSW-1). After failover, it shifted to 10.1.10.3 (DSW-2), confirming the HSRP VIP had moved. 100% ping reachability to both PC2 and PC3 throughout.

Tested both single-member loss and full-bundle loss on Po1 (ASW-1 to DSW-1). On single-member shutdown (Gi0/0), Po1 stayed up on the surviving member. No port-channel state change message was generated; the bundle absorbed it silently. However, the STP cost on Po1 increased from 3 (two members) to 4 (one member), making Po5 (cost 3, both members intact) the lower-cost path. STP correctly shifted the root port from Po1 to Po5.

On full-bundle loss (both members shut), Po1 went to SD (Layer2 Down) and disappeared from the STP topology entirely. All traffic flowed through Po5. Latency increased from ~5ms baseline to ~10-16ms due to the longer path through DSW-2. On restoration, LACP rebundled both members in approximately 5 seconds, Po1 returned as root port, and STP converged back to baseline.

Shutdown of CORE-1 Fa0/1 (link to DSW-1) to force OSPF reconvergence. CORE-1 detected the neighbor loss immediately (local interface down, no dead timer wait). DSW-1 had to wait the full 40-second dead timer since its Gi0/0 link stayed physically up; it detected loss via missed hellos. CORE-1 fell back to a single OSPF path via DSW-2, CEF updated within seconds.

Critically, HSRP and STP were completely unaffected. DSW-1 remained HSRP Active for VLANs 10, 30, 50. Endpoint-to-endpoint traffic (PC1 to PC3) worked perfectly because inter-VLAN routing at the distribution layer uses connected SVIs and doesn't depend on OSPF. The failure only impacted core-to-endpoint reachability, and it surfaced the Null0 asymmetric routing black hole documented in Key Findings.

Initially attempted IOS on Unix (IOU) images for lower RAM footprint (~256MB vs ~768MB per node). Hit a chain of issues on bare-metal Fedora: missing 32-bit libcrypto, IOURC license keyed to the wrong hostname, and community keygen scripts producing rejected keys. IOU licensing on bare-metal Linux outside the GNS3 VM appliance is unreliable.

During Phase 4 testing, the initial EtherChannel degradation scenario converged incorrectly. The root port moved to Po5 AND the HSRP virtual MAC was learned on the wrong port, breaking traffic flow. Root cause: distribution switches were running Rapid-PVST+ while access switches were on classic PVST+. The version mismatch caused distribution switches to fall back to slow 802.1D timers on access-facing ports (visible as a "Peer(STP)" flag on DSW-1's Po1).

After configuring OSPF, all traffic from CORE-1 preferred the DSW-2 path. The ECMP dual next-hops that should have been installed were missing. Root cause: CORE-1's Fa0/1 (to DSW-1) was auto-negotiating to 10 Mbps (OSPF cost 10), while Fa1/0 (to DSW-2) was at 100 Mbps (cost 1). The c3725 Dynamips image doesn't auto-negotiate speed consistently with IOSvL2.

The initial Phase 4 test of Scenario 1 (DSW-1 shutdown) revealed that ASW-1 was completely islanded. It only had an uplink to DSW-1 via Po1; when DSW-1 went down, PC1 lost all connectivity. This was a topology design gap, not a protocol issue.