cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3752
Views
0
Helpful
8
Replies

HSRP Configuration

Latchum Naidu
VIP Alumni
VIP Alumni

Hi All,

We have a DC with two internet providers (BGP multihome managed by provider)

I have two Cisco 1841 routers, each one connected to each provider.
I have configured HSRP in both 1841 on LAN interfaces (VIP 192.168.29.10)
I would like to configure HSRP on WAN interface also (VIP 193.11.115.4) and use track command also.

My doubt is can we configure HSRP on two interfaces (LAN & WAN) on same Router?


Please find the below configs on LAN interface

Cisco 1841 A:

interface FastEthernet0/1
ip address 192.168.29.12 255.255.255.0
standby use-bia scope interface
standby 0 ip 192.168.29.10
standby 0 priority 110
standby 0 preempt
standby 0 authentication xxxxxx
standby 0 track FastEthernet0/0 30


Cisco 1841 B:

interface FastEthernet0/1
ip address 192.168.29.11 255.255.255.0
standby use-bia scope interface
standby 0 ip 192.168.29.10
standby 0 priority 90
standby 0 authentication xxxxx
standby 0 track FastEthernet0/1 30

Please find the below proposed configs on WAN interface


Cisco 1841 A:

interface FastEthernet0/0
ip address 193.11.115.6 255.255.255.0
standby 1 ip 193.11.115.4
standby 1 preempt
standby 1 priority 115
standby 1 authentication xxxxxxx
standby 1 timers 5 15
standby 1 track ??????????


Cisco 1841 B:

interface FastEthernet0/0
ip address 193.11.115.5 255.255.255.0
standby 1 ip 193.11.115.4
standby 1 preempt
standby 1 priority 100
standby 1 authentication xxxxxxx
standby 1 timers 5 15
standby 1 track ??????????


Coming to track command; can we use the provider interface IP instead of the physical interface? Because my cisco 1841 routers not directly connected to provider physical interface. It is connected through one link sys switch.

Can some one please suggest with exact config (if I am wrong) to achive this project.

Please find the attached diagram for better picture about the connectivity.


Regards,
Naidu.

8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

Naidu

You can configure HSRP on multiple interfaces on the same router so you should have no problem there.

However perhaps you could explain the reasoning behind wanting to do that. HSRP is good as a redundant default-gateway for end hosts but between your routers i would recommend running a dynamic routing protocol such as OSPF/EIGRP rather than use HSRP.

Is there any reason you want to run HSRP.

Jon

Hi Jon,

Thanks for your quick response,

The reason why I would like to configure HSRP on WAN interface also is because we have site-site IPsec tunnels with external clients. So far they have peer IP of Primary router. In this case if the line on primary router is down the tunnels are down untill primary line up.

So that is the reason I am looking for Single WAN IP, so that in any way the VIP to the external peers will be a live.

Regards,

Naidu.

naiduccnp wrote:

Hi Jon,

Thanks for your quick response,

The reason why I would like to configure HSRP on WAN interface also is because we have site-site IPsec tunnels with external clients. So far they have peer IP of Primary router. In this case if the line on primary router is down the tunnels are down untill primary line up.

So that is the reason I am looking for Single WAN IP, so that in any way the VIP to the external peers will be a live.

Regards,

Naidu.

Naidu

Okay, but what you can do as an alternative is to simply configure 2 peer IP addresses under the clients IPSEC settings and if the first IP is unavailable then the 2nd would be used. Wouldn't automatically fall back to first IP if the router came back up though.

If you don't want to do that and use a VIP as you suggest be aware that this will not provide stateful IPSEC failover ie. the tunnel would have to be created again and this could cause some problems at the far end if their IPSEC devices don't realise the original tunnel is down.

That said, yes you can configure HSRP on both the LAN and WAN interfaces of your router if that is what you want and it will work fine.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Hi Jon,

Thanks for your response.

"but what you can do as an alternative is to simply configure 2 peer IP addresses under the clients IPSEC settings"

What I understood here is, I have to configure second router IP address as a second peer IP on the other end (at external client device) is that correct?

Regards,

Naidu.

Naidu

"but what you can do as an alternative is to simply configure 2 peer IP addresses under the clients IPSEC settings"

What I understood here is, I have to configure second router IP address as a second peer IP on the other end (at external client device) is that correct?

Yes that's correct. Under the same crypto map entry you just add a second peer device. If theother ends are all Cisco devices you could look to run IPSEC over GRE which would dynamically route to the second router without having to use HSRP but i didn't suggest it because you referred to external clients which i thought may not be using Cisco routers.

Jon

Hi Jon,

Yes, we have two crypto maps like below for both primary and secondary routers:


crypto isakmp key xxxxxx address 193.11.115.6 no-xauth
crypto isakmp key xxxxxx address 193.11.115.5 no-xauth

We have site to site tunnels are... DMVPN for our internal sites and IPsec for external clients.

OSPF routing protocol configured on the both routers and all also for DMVPN sites. But I am not seeing the dmvpn tunnels come through secondary (193.11.115.5) when primary (193.11.115.6) down. What could be the problem?

OSPF priority on primary 255 and on secondary 254.

Your thought is right, the external clients are using other devices like say one client using ZyXEL (ZyWALL USG 1000)
Please suggest me which way is better to have high availability.

Regards,

Naidu.

Hi Experts,

Any suggestions please...

Regards,

Naidu.

Marwan ALshawi
VIP Alumni
VIP Alumni

try  this link

Cisco High Availability Solution: Stateful Failover for IPsec

http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6635/white_paper_c11_472859.html

good luck

if helpful Rate

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco