thanks for reply now if you see above i have emntioned that , that both routers ethernet would be in different subnet so i cant use same vlan......secondly firewall cant use ospf....i hope its bit more clear ....i am totally confuse how i will do it...if u need any more info plz let me know

Well..That's the thing

you did not explain why they have to be in different subnet. I mean where's the limitation.

If you have them in the same switch, or even switches which are interconnected together you can always trunk that vlan across and have HSRP on "inside" interface of the WAN routers.

The outside interface (towards ISP) can have a different segment without worrying

you are pretty much stuck with this option unless your firewall knows OSPF. Otherwise you need to point the static route from the firewalls to an HSRP.

post a diagram if you think this explanation does not solve the problem

Thanks for your reply now probably i am pretty bad at explaning :-) now i need the solution form swicth A and two routers which will be attached to that switch (each router will b ein different subnet) now how will i config ospf so that all traffic shd go via first link to router 1 and if router 1 fails it will go through router 2......i have tro config bgp on wan routers as well.....what i am worried abt is how i will route traffic to networks which atre behind firewall.....before everything was static if u read my first post....and how will i config ospf???

I think you do not understand what i'm saying :)

- please tell me: how many interfaces on the WAN router you will use? Is it correct to assume that the WAN router will have a connection to the ISP (1 interface) and a connection to the switch A (another interface). Do you have a similar setup to on WAN router 2?

- both routers connect to the same switch A?

if the answer is YES to both questions, then definitely yes, you can use HSRP.

yes both routers connect to same switch A and if i have to use different subnets for LAN between switch and routers how can i use HSRP (i have mentioned that in previous email) both WAN routers will have connection to same ISP....now did u get the point.....we dont want that both routers shd be active (ie loadbalancing)

Hello Khan,

you can use OSPF to generate a default route of type O E1 on both WAN routers.

primary router will use a lower seed metric and will be preferred.

you can configure it to check that an eBGP default route is received

router ospf 10

! or other network used between SWA and router

network 2.153.83.0 0.0.0.255 area 0

default-information originate type 1 route-map check-bgp

ip prefix-list only-default permit 0.0.0.0/0

access-list 11 permit host primary-ebgp-peer-address

route-map check-bgp permit 10

! check the presence of a BGP default

match ip address prefix only-default

! check default route BGP next-hop

match ip next-hop 11

set metric 50

WAN router B will use a seed metric of 100.

All this can work if SwitchA is after the firewall and can talk OSPF with both WAN routers.

Hope to help

Giuseppe

Thanks Giuseppe

Now cant we use ospf cost on switch for primary link to router as well as towards secondray router???? if yes how we do it...i have two vlans different subnets (thats is design so cant change it) now i want that from switch the packet shd be routes to primary link and if primary link goes down or link between swicth and router goes down it shd divert toi secondry router.....how we will do that....both WAN routers are connected to same service provider.....thanks

Hello Khan,

what I have suggested works for your scenario:

using an O E1 means that the OSPF metric for the 0.0.0.0/0 is calculated as:

seed metric + path metric to ASBR

in your case with my suggested config it would be:

50+1 on the primary path

100+1 on secondary path

changing the cost on the links is not necessary you can use different seed metrics as I proposed.

Hope to help

Giuseppe

guroo.

I understood you very well but i just wanted to give you a solution to your problem.

My question was very simple. Why do you need to use different subnets when you don't have to.

Why can't you just use the same subnet! Because i'm telling you: you can with the setup that you have.

That's the key: "you can use the same subnet and do HSRP". Now it's up to you if you want to be flexible or not and go this way.

I think you do not understand the flexibility that you have with you gear and your existing setup.

The switch NEEDS to be only layer 2 for routers WAN1 and WAN2, and firewall.

example.

Setup vlan 100 on the switch:

vlan 100

name INTERNET_DMZ

int fa0/1

switchport mode access

switchport access vlan 100

description To WAN_A

int fa0/2

switchport mode access

switchport access vlan 100

description TO WAN_B

int fa0/3

switchport mode access

switchport access vlan 100

description TO FW1

VERY IMPORTANT NOTE: Do not route or allocate an IP address to vlan100 on the SWITCH. Switch should not participate in VLAN 100 routing. WAN1 and WAN2 will route this subnet , and the firewall

Now you have yourself a layer 2 setup for connection to WAN_A and WAN_B, subsequently you can do HSRP on those routers.

define ip addresses:

WAN_A 192.168.100.2

WAN_B 192.168.100.3

HSRP between the 2: 192.168.100.1

HSRP messages will easily flow through vlan 100 layer 2 setup on the switch.

go to FIREWALL

bring up interface

configure ip 192.168.100.254 255.255.255.0

(note. if you have trunk to your firewall. you need to define vlan 100 on the fw, if you plan to use separate interface, no need to do so)

setup default gateway on the firewall to HSRP address of routers.

Thats about it.

The key here is that your switch is a layer 2 interconnection point for vlan 100

As you see..no need to have different subnets on routers