HSRP between two 3800 series Cisco router- Need help!

Unanswered Question
Feb 4th, 2008

Hi Guys,

I have two 3825 Cisco routers connected to a datacenter using two private circuits:

one private 100 MB ether connection as primary

one private DS3 as backup circuit

I am using all static so no IGP is used.

I have configured these two routers having the 100 MB as my primary link on my primary router and the DS3 as secondar/backup on my secondary router.

I have the following configuration but it is not working and I don't know why.

I would appreciate if some one could help me in right direction please as I do not trust the config being all right!

Primary Router:

interface FastEthernet0/0

description secondaary router

ip address addresss for the 100 MB Ethet link on my primary router)

no ip redirects

duplex auto

speed auto

standby 1 ip


(This puts both routers interfaces in the same subnet, with a common standby group of 1 on that link. So both routers

are responsible for acting together as the virtual router Hosts are configured with a static default gateway,

IP address that of the virtual router, Virtual router)


standby 1 timers 5 15

standby 1 priority 95

standby 1 preempt

standby 1 authentication username

standby 1 track Ether Interface for 100 MB ckt (GE0/0) on this router

Secondar Router:

interface FastEthernet0/0

description secondaary router

ip address (Ip addresss for the 100 MB Ethet link on my primary router)

no ip redirects

duplex auto

speed auto

standby 1 ip (This puts both routers interfaces in the same subnet, with a common standby group of 1 on that link. So both routers

are responsible for acting together as the virtual router Hosts are configured with a static default gateway,

IP address that of the virtual router, Virtual router)


standby 1 timers 5 15

standby 1 priority 95

standby 1 preempt

standby 1 authentication username

standby 1 track Interface of the DS3 Circit on this router

do I need to specify anything in the Global coonfig too?

I have attached a .txt file for this configuration. I wonder if I have missed something, may be at the global command level? I don't think there is any?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Mon, 02/04/2008 - 21:06


I see that you describe them as primary and secondary. But in the configuration you have given them both priority of 95. If you want one to be reliably the primary then its priority should be higher than the secondary (and probably not more than 10 greater as long as you are using track).

Your post says it is not working but is not specific about what is not working. Can you clarify what is not working so that we can understand it better?

It would also help if you would post the output of show standby from both routers.



s.arunkumar Mon, 02/04/2008 - 21:09


What do u mean by not working???can u be more specific..

From ur config ,u have configured both router with same priority(ie,95).Hence the election for active will be based on highest IP address of the interface.So the secondary router will become active in this case.

So to make the primary router active,increase the priority.by default its 100.


m-abooali Mon, 02/04/2008 - 21:13

Thanks very much for your quick response. I really appreciate that.

You are right, I was taking a closer look at what I did and realized that. I have raised the primary to 100 now.

how should I make the physical connectiuon between them?

I mean how should I link these two routers together? I used ether0/1 on both with cat 5 cables and may be I have done my physical ocnnection wrong?



m-abooali Mon, 02/04/2008 - 21:44

the reason i have gotten confused on the physical connection between the two routers are due to the fact that i have 2 circuits from 2 different IPSs, one ether and the other DS3 (which doesn't connect to a fe of ge interface on the secondar router)so, primary has ether on ge0/0 and secondar has Ds3 on the Ds3 line card, how these two will know about each other?

please advise.


m-abooali Tue, 02/05/2008 - 07:42

Hi Arun,

when we have Ip adddress for the vitual router in the HSRP configuration and have multiple VLANs on teh Switch connected tio these routers(Core switch with L3 VLANs), then how can I have the IP address of the virtual router as the defaultgatway for our hosts ad servers?

shouldn't the IP address for the the vlan interface be the default gateway for all the hosts on that VLAN?

I am really vonfused here as which one should act as teh default gatway? the Virtual router Ip address or the VALN interfaces Ip addresses for hosts on those VLAN?

Please advise.


Richard Burts Wed, 02/06/2008 - 21:16


I am not sure whether I am confused about your situation or whether you are confused about HSRP. HSRP is generally configured on the interfaces which are used for connecting users. If you have multiple VLANs where users are connected, then you would usually configure HSRP on each VLAN interface. Each VLAN would have its own shared/firtual HSRP address and that address would be the dafault gateway for the hosts connected on that VLAN.

If there is something that I have not understood please clarify for me.



m-abooali Wed, 02/06/2008 - 21:23


You are right! you see first I configured HSRP to go on our new router and then I realized that I am going to have 3 VLANs on my L3 4500 core switch and from there to my routers. I will have two circuits, one 100 MB as primary terminated on one 3845 and a Fractional DS3 terminating on the secondary router, from two different IPSs.

I didn't know that I can specify VLAN interfaces fro HSRP! now that you mention that, I guess I need to make some changes to my HSRP configuration for two VLANs, one for internal office and the other one for external. I will be using VLAN1 for managemnet purposes.

do you think I only need to replace the actual physical interfaces in my HSRP configuration and add the vlan interfaces, like int vlan2 and int vlan3?

would the virtual router stays the same?



m-abooali Wed, 02/06/2008 - 21:39

this is what confuses me? based on my previous reply where i attached files outlining configuration, please see if you can clear me on this issue.

I really appreciate your support.



s.arunkumar Wed, 02/06/2008 - 21:38

Hi Mike,

Rick has explained in well........ :)

Please refer to this link ,to clarify more..


Yes u can replace the configuration from interface to the vlan svi or interface and the virtual address still can be kept same,with condition that it sould be one IP in the subnet of that particular vlan,and this need to b ethe gateway for device in that vlan.


m-abooali Wed, 02/06/2008 - 22:18

hi Arun,

i will be having two vlans on the 4500 and each with its own IP address of course. switch will be connected to two routers via transit links with /30 IP addresses.

now, with two vlans, which vlan IP address should be listed as the IP for the virtual router in the HSRP?

also, the switch will do the routing and i don't know how HSRP can do the switching since the actual vlan interfaces are on the 4500 core switch and not the routers?

I am confused and need help to clarify the points of confusion please.

as far as my comment that it wan't working, i was doing testing on a test router and that was not accurate. I also fixed the priority and gave the primary a priority of 100 and the secondar a priority of 95 which i should bring it lower.



m-abooali Wed, 02/06/2008 - 21:37

Hi Rick,

actually something just hit my mind which has caused more confusion for me!. Please look at the attached MS-Word document that outlines the configuration on the 4500 switch and the text fileoutlining the HSRP.

since my vlans are L3 and on the switch, I will be having transit links between the switch and the routers and for this reason the router will be doing the routing but the switch does. now, given this scenario how should I address the HSRP and the interfaces?

Please advise,


s.arunkumar Wed, 02/06/2008 - 22:32

What i understand from the attachment you send is

1.You have got one L3 switch and two routers

2.The link between the switch and router are L3.

3.U have 2 vlans on inside network

If so,let me tell u that HSRP is normaly used for the redundancy of gateways.

Your vlan boundary end at L3 switch as u are configuring the vlan routing there itself.

and since u have got only one L3 switch i dont thing u can achive the gateway redundacy per vlan there .

Now you are configuring HSRP at routers,but both the routers are connected by L3 links to switch.For HSRP to work the link should be L2,since both the inside interface of routers

need to be in same subnet along with the virtual address.

With the little experience i have,a possible workaround i feel would be configure the links as L2 towards router,do a router on stick configuration for vlan communication,and do the hsrp configuration in the subinterface and give the default gateway for each vlan host as this virtual address ....

here your switch will act as a L2 switch!!!!!!!!!

Experts pls conform if i make sense????


m-abooali Thu, 02/07/2008 - 06:09

Hi Arun,

this is exactly what I was afriad of!

Thinking about my L3 transit links to the router and ending all at the switch as you expained well.

Ii understand, you are suggesting creating L2 trunks connecting the switch to the router and by creating subinterfaces on the router make that work, correct? is this what youmean by the router on stick configuration?

I did that once long ago and I am realy not confortable configuring it but i wonder if you guys can put in in the right direction please?

router on stick and L2 trunks on a L3 Switch, i can use some help!



m-abooali Thu, 02/07/2008 - 06:38

Hi Arun,

I did the router on the stick configuration but i am not sure if I had to use two physical interfaces and create one subinterface under each physical or create both subinterfaces under a single GE0/0 interface on the router (which is what i have done).

I rather use two interfaces on the router (Both of the GE0/0).

as far as the switch, i am planning to do:

create vlan2

create vlan3

VTP server mode

and assign two ports on switch to be the trunk for those two links. what I don't know is wether Ineed two trunks or just one given that we havetwo routers? should I terminate both cirsuits on one router or on the two routers for this configuration and for HSRP to work?

I can use a little help please.

Is there any other way to get my original L3 configuration on the switch to work? can I use that configuration and use something else for redundancy on the routers? I don't have BGP AS# yet, othetwise I could have used that!?



m-abooali Thu, 02/07/2008 - 09:30

Hi Arun,

Well, things have changed since i have received informations that i didn't have. I have attached a .pdf Visio drawing explaning the new requirment from me.

I am thinking of using policy routing, route-map-next hop, ACL, IP Router, etc. but i am not sure really what direction to take.

there are Linux server with two NICs one private and one Public and they need to be in both internal and external VLANs on the core 4500 switch, hitting the netscreen firewall and then the router an dout through one of the circuits.

at this point the redundancy of those circits is not that important anymore since later I will use BGP with the providers to do that.

I need to figure out how these internal and extrenal vlan traffics will hit the firewaall and router and go out of the 100 MB link to the Internet?

I am lost at this point!?

Please see if you guys can shae your thoughts with me.



philipbray2005 Thu, 02/07/2008 - 13:12

On the primary change the priority to higher

tham the secondary e.g.

standby 1 priority 100

m-abooali Thu, 02/07/2008 - 17:17

thanks much for your input. I did changed the priorities but the scenario has now changed based on the new information that I received which I did not have before.

The Public Subnets were not in the Picture as well as the netwscreen juniper firewal but they are now.

I will have one internal vlan for the internal private subnet and two other vlans for the two public subnets, each subnet from a different provider which we will connect to the Internet.

now, I am not really sure how to handel the routing since we have some linus servers with dual NICs, one private and one public which i didn't know when i posted my original question and intended/proposed design from the switch up to the two routers.

All the routing must be static for now until a few months later in future that we move to BGP for redundancy at the links to the Internet.

Also, I am really stenger to Juniper stuff in this case Juniper netscreen 25 firewall!

I can use all the help I can get to start on this. I have posted a .pdf document with the drawing on teh network and the way the need it to work.

Please advsie.



s.arunkumar Thu, 02/07/2008 - 19:29

Hi mike

Its good u finaly came up with a diagram.. :)

I am not able to understand the requirement properly,iwth respect to the diagram..maybe my problem... ;)

can u pls explain little more on this so that we can sort out this...

Hope experts will through their view into it...


m-abooali Thu, 02/07/2008 - 20:36

I am glad to have that diaram too!

it was based on the latest information that I received. one office, one private or internal subnet but in this office we have linux servers with two NICs, one with private IP address from that only private subnet/24 and the other one from the two blocks of Public Ip addresses that we have got from two providers. these Ip blocks will also be in the two circuits connecting the office to the Internet.

To make the situation worst, I cannot use any dynamic IP routing at this time, may be later so I have to stick with static routing which has left me optionless on what would be the best and fastest way to get them all hocked up.

I have ordered one Cisco L3 4500 Switch and two Cisco Router 3845 but currently they have two Juniper Netscreen firwalls and they want to use it (i don't know any Junipers).

So, I need to create:

vlan 2 for managemnet (using IP from the same private subnet) say

VLAN3 or Internal (using the same private subnet)

VLAN4 (using one of the Public IP blocks)

VLAN5 (using the other Public Block)

Now, I wonder what would I need to do to route these subnets (traffic) from the VLANS on the 4500 to the Netscreen Firwall an dto the router and out to the Internet?

or, private traffic from Internal Vlan to the routers and external vlans to the Firewall?

or all the VLANs to the router, use rout-map next-hop and match plus IP routes and ACLs and define the Netscreen firewall as the next hop to he router and have the netscreen firewall route them out though the routers (again back to router) and out though the links - One primary 100 MB Ether and one Seconday DS3 (backup, could be active/active, or active /passive).

I hope that by now you know my delima!? how do I need to do this when there is no BGP at the external links and no IGP (EIGRP or OSPF) internally?

the more I think, I end up with PBR and rout-map defining next hop, may be two of them? and match the IPs/traffic using IP route and ACLs?

do you think this will do it? is there any other ways to tackle this design?

the fact that I only have two weeks toget this design completed and tested here and then send devices to the remote office where the can be plugged in based on the final diagram. one of my co-worker will go for that connecting issue and i will be starting a seocnd design but I have enough time fo rthat second one and i may be able to use IGP sine i will not have public IPs for the second design.

I hope that I was able to provide enough information. please do not hesistate to ask me any information that you may think is missing. at this time I am trying to come up with PBR config and am playing with the commands, seeing myself sitting on the Switch looking out and then on the routers looking out and looking back in to see if I can see the pattern happening using the route-map stuff?

I am sorry for this long explanation but I thought it was necessary.

at one point I decided to go with router on stick scenario but it defeats the whole idea of having the 4500!?

please advise,



s.arunkumar Thu, 02/07/2008 - 21:52

Hi mike,

Yes,router on stick will defeat the purpous of 4500.....

Why is there a connection directly given from the switch to firewall in daigram,when ur requirement is to route traffic via firewall..??

If u are going for active\active at routers for the external link utilization(ie,load share the traffic going out),then very well u can go with PBR.

but i dont know how u would go with redundancy in this scenario!!!!!!!! :(

without dynamic routing protocol,if the links fails how will the switch comes to know ,as static routes(and PBR) will still forward traffic..


m-abooali Fri, 02/08/2008 - 06:25

Weel Aurn, this is the one million dollar question for me!

If I can get this to work even in the active/passive mode and change over manually at this time I will go for it until later that we bring dynamic routing in place.

The link is there since the Firewall will be sitting somehow betwwen the core switch andteh routers, I might be wrong here!

I wantted to add a Cisco 3500 switch in the mix to connect the firewall's external traffic to it and basically divide internal traffc from the external but yet again the question comes to mind that my two vlans with external public IP paddresses are on the switch, so how woud I divide the traffic?

As far as the reducndancy, both links from the core 4500 switch to the router will share a same internal Ip subnet so i can have a common virtual router IP for HSRP but I don't know how I would deal with the two different Public IP subnets (two public/external vlans on the core switch)?

I am open to suggestions and cna use any amount of help that I can get looking at this a pilot design experience for the next offoce.

but I am shor on time and still have no clear idea of how I should go about this?

Please advise.



m-abooali Fri, 02/08/2008 - 06:31

well, Arun,

I really don't have an answer to thos equestion except that we can go for active/passive and no loadsharing/load balancing at this time. I just need to get this owrking given the VLANs and the devices in the mix.

later i will get AS# and will do BGP with the provider and may be EIGRP on the inside network but first, they waant it static (i.e. my boss wants it static sinc ethere is no time left...!)

your thoughss?/



m-abooali Fri, 02/08/2008 - 09:44


I have attached a different diagram. the two links you see going from the Juniper firewalls to the routers are to specidy inside and outside connections of the Firewall.

what is confusing me is the fact that i will be having External/Public IP vlans on my inside core 4500 Switch!? how should I deal with that?

Hope that this diagram shows more information.



m-abooali Tue, 02/12/2008 - 08:08

hey Arun,

I have been waiting on your response on my two previous posting. please see if you can help given the new information. ples ee the enclosed document in my previous posting/response to you.



jvhaysx Tue, 02/12/2008 - 10:37

1. You cannot have the same priority on both sides (priority 95) - one priority must be higher so it is clearly the Active router.

2. Assuming that normal traffic flows through the Primary router via Fa0/0 and Gi0/0, then if Gi0/0 fails the secondary router becomes the HSRP Active router and traffic flows out the DS3.

However, the command 'standby 1 track' on the secondary router is useless because normally the secondary router is not passing traffic - it is in standby mode most of the time. The only time it is Active is when the Primary Gi0/0 has failed and if a second failure occurs with the DS3 you don't want it failing back to the Primary. The 'track' command should be on one side only.

Hope this helps.

s.arunkumar Tue, 02/12/2008 - 21:17

Hi mike

I am really confused with ur scenario and requirement !!!!!! maybe b'cas of my inexperience..

What i understood from ur scenario i suggest the following

1.For traffic from local host to linux server

Do normal configuration for intervlan routing at L3 switch(4500).The server will be accessed by internal host on the internal private IP NIC of server..The default gateway for host should be SVI ip configured for vlan at 4500.

2.For traffic going outside

Put a default route on 4500 towards the routers (or virtual ip)

3.Redundancy for routers

You require an L2 switch for this between router and 4500.Put the two internal interface of the router in same subnet and configure for HSRP at physical interface level..the virtual ip here should be the next-hop for the default route i mentioned in point 2.

3.For traffic coming into the network

U can put static routes towards each inside vlan networks

I dont know if this would help better..let see...

This topic has gone long and other experts may take lot of time to read all the post and come to the latest update.I would suggest u to put a new topic in forum with all your latest requirements ,so that others can also respond to it and provide u proper inputs..



This Discussion