HSRP on public interface

Answered Question
Jan 22nd, 2009

All,

Is it possible to put an HSRP configuration on 2 routers that face the internet? Would I eat 3 public addresses doing it?

router 1: 5.5.5.2

router 2: 5.5.5.3

standby: 5.5.5.1

Is this possible?

Thanks,

John

I have this problem too.
0 votes
Correct Answer by Richard Burts about 7 years 10 months ago

John

Assuming that router1 and router2 are connected on a common subnet, which is the Internet facing interfaces, then yes this is possible. And yes it would consume 3 public addresses.

A somewhat different question from "can I do this" is the question of "why would I want to do this". Since HSRP generally is to solve the problem of redundant gateways on the local subnet, what problem is it solving to put it on the Internet facing interfaces?

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Richard Burts Thu, 01/22/2009 - 09:18

John

Assuming that router1 and router2 are connected on a common subnet, which is the Internet facing interfaces, then yes this is possible. And yes it would consume 3 public addresses.

A somewhat different question from "can I do this" is the question of "why would I want to do this". Since HSRP generally is to solve the problem of redundant gateways on the local subnet, what problem is it solving to put it on the Internet facing interfaces?

HTH

Rick

John Blakley Thu, 01/22/2009 - 09:22

Well, no problem. I'm studying for a test and one of the practice questions was how to provide redundancy on an internet link for VPN users without having to reconfigure their client. The answer was HSRP, and that's the only way I could figure it would be the case. Each one of the clients would configure their software to connect to the standby IP, and in case that dies, the other will still be valid. So, there could be other reasons (aside from GLBP), like host a webserver for instance. I could see doing it for that also.

Thanks Rick!

John

Giuseppe Larosa Thu, 01/22/2009 - 09:58

Hello John,

we use this setup to perform Stateful IPSec failover:

we have two 7206VXR with NPE GE2 and they share the IPSec SA using a TCP connection between them.

the ip address used to terminate the IPSec is actually the HSRP VIP on the public lan interface.

Hope to help

Giuseppe

cisco24x7 Thu, 01/22/2009 - 10:32

How does Stateful failover IPSec work for you?

During three months of testing last year, I

found that Stateful IPsec failover on Cisco

IOS is not stable.

What version IOS do you use?

Giuseppe Larosa Thu, 01/22/2009 - 11:07

Hello David,

we actually had problems of sudden and random connections drops at first.

We opened a Service Request.

they suggested us to keep the configuration equal (you need to do it manually it is not like in PIX).

at the end at the second IOS upgrade, packet capture and two mounths it is working better

We currently use

c7200p-advsecurityk9-mz.124-20.T.bin

before in 12.4(19)T the first ios suggested for upgrade we couldn't reach the hot standby redundancy state.

However, the feature has some strange behaviour like it triggers a reload when a change of state master to slave happens !

This happens also if you shut one interace either public or private or if you try to remove redundancy configuration. (at least in 12.4(19)T)

states are ruled by HSRP group priorities and we configured higher priorities on both public and private interfaces on the same router with tracking.

This is different from what suggested in the feature where they suggest to use same priorities on both routers: this can cause unnecessary changes of state.

RT-RM-TLD066-NEW-VPN-2 uptime is 19 weeks, 1 day, 20 hours, 35 minutes

System returned to ROM by reload at 00:11:25 MEST Wed Sep 10 2008

System restarted at 00:12:40 MEST Wed Sep 10 2008

System image file is "disk2:c7200p-advsecurityk9-mz.124-20.T.bin"

RT-RM-TLD066-NEW-VPN-2#sh red stat

my state = 13 -ACTIVE

>>> peer state = 8 -STANDBY HOT

Mode = Duplex

Unit ID = 0

Maintenance Mode = Disabled

Manual Swact = Enabled

Communications = Up

client count = 9

client_notification_TMR = 30000 milliseconds

RF debug mask = 0x0

RT-RM-TLD066-NEW-VPN-2

Hope to help

Giuseppe

Actions

This Discussion