HSRP - Managing Site to Site Routing

Unanswered Question
Feb 21st, 2010
User Badges:

Hello,


HSPR Query


- Site 1 has two routers configured with HSRP (one active/other standby)

- Site 2 has two routers configured with HSRP (one active/other standby)


Both the sites are connected via a cloud. What will happen in following scenarios


1. Traffic goes out of active router in Site 1 and return via standby router in Site 2. Will this cause any problems. What configuration is required to enforce return traffic to travel out of the active router at Site 2 (i.e. to avoid assymetrical routing)


2. If object tracking is configured for the link for the active link at Site 1 and the link fails, how will Site 2 know not to 'initiate' traffic from active router at Site 2 but to instead send out from the standby router to connect to the available standy router at Site 1.


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sun, 02/21/2010 - 07:19
User Badges:
  • Green, 3000 points or more

Hi,

You can consider having HSRP configured on the outside interface on the HSRP routers to manage incoming traffic if
the routers share the same subnet on the outside.


Other solutions are to have an external router (after the HSRP routers to handle the incoming traffic), or if you're
talking BGP with the ISP you can manipulate the incoming traffic.


Federico.

Jon Marshall Sun, 02/21/2010 - 08:00
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

cisco_lite wrote:


Hello,


HSPR Query


- Site 1 has two routers configured with HSRP (one active/other standby)

- Site 2 has two routers configured with HSRP (one active/other standby)


Both the sites are connected via a cloud. What will happen in following scenarios


1. Traffic goes out of active router in Site 1 and return via standby router in Site 2. Will this cause any problems. What configuration is required to enforce return traffic to travel out of the active router at Site 2 (i.e. to avoid assymetrical routing)


2. If object tracking is configured for the link for the active link at Site 1 and the link fails, how will Site 2 know not to 'initiate' traffic from active router at Site 2 but to instead send out from the standby router to connect to the available standy router at Site 1.


Thanks.


1) Unless you have firewalls in the path then it shouldn't really make any difference that packets return on the other router. In fact this often happens with L3 switches as well where traffic goes out one vlan interface and comes in the other. It's really not a problem.


If you want to force traffic to the same router there are multiple ways but do you really need to. If you have dual links to the cloud then do you not want to use the bandwidth of both links ?


If you wanted to you could use BGP as Federico suggested, you can influence any routing protocol so the active router is used inbound.


2) If the routers are connected to a cloud as such it shouldn't matter which router at site 2 is used if a router at site 1 fails. If they were point to point links it might but as you say it is a WAN cloud i'm guessing they are not P2P links.


Jon

Lei Tian Sun, 02/21/2010 - 08:23
User Badges:
  • Cisco Employee,

Hi,


1. Traffic goes out of active router in Site 1 and return via standby router in Site 2. Will this cause any problems. What configuration is required to enforce return traffic to travel out of the active router at Site 2 (i.e. to avoid assymetrical routing)

Asymmetric routing will not be a problem unless you have something need stateful information like firewall or NAT. If you need the routing be symetric then you need to provide more information for someone to find out the best solution. Like the routing protocol between SP, any VPN running between sites, is NAT using....


2. If object tracking is configured for the link for the active link at Site 1 and the link fails, how will Site 2 know not to 'initiate' traffic from active router at Site 2 but to instead send out from the standby router to connect to the available standy router at Site 1.


The object tracking should track your WAN link, so if site1's primary HSRP's WAN link goes down, the only router can in/out site1 will be the backup router. Site 2 doesnt need to know which router is used to reach site 1, but SP will notice site1 is only reachable via backup router.


HTH,


Lei Tian

cisco_lite Sun, 02/21/2010 - 10:28
User Badges:

- The Cloud is Layer 3 IPVPN

- Routing Protocol is BGP

- Active link belongs to one AS and Standby link belongs to another AS

- Both links will be on different subnets


With regards to point # 2, due to different AS how will the active router at site 2 communicate with standby router at site 1. For active router at site 2 the directly connected link is up whereas many hops away the ex-active router is unavailable at site 1. So when the traffic goes via the cloud it would not be able to reach site 1. How can this be ensured with the above mentioned setup.



Lei Tian Sun, 02/21/2010 - 12:40
User Badges:
  • Cisco Employee,

Hi,


- The Cloud is Layer 3 IPVPN

- Routing Protocol is BGP

- Active link belongs to one AS and Standby link belongs to another AS

- Both links will be on different subnets



For that case, assume you learn same prefix from both active and standby router. On each site you can do

1, eBGP peer between active and standby router.

2, on standby router, apply route-map on the egress direction of SP eBGP peer to as-prepend all prefies to make it less prefer.


If 2 SP donot pass your VPN prefix to each other, it will work as follow

when everything is normal, traffic leave site 1 will go from site 1 - active - SP1 - active - site 2, return traffic will follow the same path.

when site 1 active router WAN link fail, traffic leave site 1 will go from site 1 - standby - SP2 - standby - site 2. Because site 2's active router will not learn site 1's prefix from SP, so the return traffic will follow site 2 - active - standby - SP2 - standby - site 1.


If 2 SP do pass your VPN prefix to each other, it will work as follow

when everything is normal, traffic leave site 1 will go from site 1 - active - SP1 - active - site 2, return traffic will follow the same path.

when site 1 active router WAN link fail, traffic leave site 1 will go from site 1 - standby - SP2 - SP1 - active - site 2, this is because SP2 will learn same prefix from site 2 and from SP1. SP1 is preferred because or shorter as-path. The return traffic will follow site 2 - active - SP1 - SP2 - standby - site1.


HTH,


Lei Tian

cisco_lite Sun, 02/21/2010 - 18:20
User Badges:

- The Cloud is Layer 3 IPVPN

- Routing Protocol is BGP

- Active link belongs to one AS and Standby link belongs to another AS

- Both links will be on different subnets


With the above setup we will be using only one service provider.

Lei Tian Mon, 02/22/2010 - 06:11
User Badges:
  • Cisco Employee,

Hi,


Yes. This uses your 2 SP as active/backup, and the active SP match your HSRP primary. If you want to use both SPs, do load sharing. The above still hold true, but you need to selectivly prepend prefix. Say you want site1 use SP1 for prefix 172.16.1.0/24 and use SP2 for prefix 172.16.2.0/24, then you can prepend 172.16.1.0/24 at standby router at site 2, prepend 172.16.2.0/24 on the active router on site 2.

Another solution is to advertise half of the prefix and summary from one SP, another half of the prefix and summary from the other SP. Say you need to advertise 172.16.0.0/16 from site 2 to site 1, then you can advertis 172.16.1.0/17 and 172.16.0.0/16 from SP1, advertise 172.16.128.0/17 and 172.16.0.0/16 from SP2.So the traffic can be load shared across 2 SPs.


HTH,

Lei Tian

Arup Dutta Sun, 02/21/2010 - 22:48
User Badges:

hi,

   would  you like to send SITE1 config text.

Actions

This Discussion