HSRP with multiple secondary IP addresses

Unanswered Question
Aug 26th, 2013
User Badges:

I have two routers running in active/standby mode for VPN connectivity to customers. They are configured for HSRP using their two primary IP addresses on each router's interface. The primary HSRP is working as expected without issues.


How do I configure the routers for HSRP with multiple secondary IP addresses and HSRP for each secondary IP address? I have tried using the secondary keyword in the “standby [group-number] ip [ip-address] secondary” statement, however, the problem is all IP addresses (primary and secondarys) are in the same /24 subnet.  I am faced with the following problem then:


  • •1.      How would the HSRP process for a secondary standby IP address know what physical secondary standby IP address to switch to in case of a failover?
  • •2.      If I use a different standby group number for each secondary standby IP address that I create how can I link the secondary IP addresses on the physical interfaces to that specifc standby group number for segregation?


Here are the router configs for the desired HSRP and stateful failover sections,it does not work, the “show standby brief” command shows the 2, 3 and 4 secondary HSRP group numbers in the INIT states and unknown under every other column.


Router 1:

interface FastEthernet0/0

ip address 192.168.1.131 255.255.255.0 secondary
ip address 192.168.1.134 255.255.255.0 secondary

ip address 192.168.1.137 255.255.255.0 secondary
ip address 192.168.1.151 255.255.255.0

standby delay minimum 30 reload 60

standby 1 ip 192.168.1.150

standby 1 timers 1 5

standby 1 name vpnout

standby 1 track FastEthernet3/0

standby 2 ip 192.168.1.130 secondary

standby 2 timers 1 5

standby 2 track FastEthernet3/0

standby 3 ip 192.168.1.133 secondary

standby 3 timers 1 5

standby 3 track FastEthernet3/0

standby 4 ip 192.168.1.136 secondary

standby 4 timers 1 5

standby 4 track FastEthernet3/0

crypto map vpnmap redundancy vpnout stateful


crypto map vpnmap redundancy replay-interval inbound 10 outbound 1000



Router 2:

interface FastEthernet0/0

ip address 192.168.1.132 255.255.255.0 secondary
ip address 192.168.1.135 255.255.255.0 secondary

ip address 192.168.1.138 255.255.255.0 secondary
ip address 192.168.1.152 255.255.255.0

standby delay minimum 30 reload 60

standby 1 ip 192.168.1.150

standby 1 timers 1 5

standby 1 name vpnout

standby 1 track FastEthernet3/0

standby 2 ip 192.168.1.130 secondary

standby 2 timers 1 5

standby 2 track FastEthernet3/0

standby 3 ip 192.168.1.133 secondary

standby 3 timers 1 5

standby 3 track FastEthernet3/0

standby 4 ip 192.168.1.136 secondary

standby 4 timers 1 5

standby 4 track FastEthernet3/0

crypto map vpnmap redundancy vpnout stateful


crypto map vpnmap redundancy replay-interval inbound 10 outbound 1000






Thanks in advance for any insight you can provide.





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
dhananjay95929 Mon, 08/26/2013 - 17:04
User Badges:

The following is shown under "show standby" and "show standby brief" commands for Group 2:


FastEthernet0/0 - Group 2

State is Init

Virtual IP address is unknown

Secondary virtual IP address 192.168.1.130

Active virtual MAC address is unknown

Local virtual MAC address is 0000.0c07.ac02 (v1 default)

Hello time 1 sec, hold time 5 sec

Preemption disabled

Active router is unknown

Standby router is unknown

Priority 100 (default 100)

Track interface FastEthernet3/0 state Up decrement 10

Group name is "hsrp-Gi0/0-9" (default)



Interface Grp Pri P    State   Active  Standby Virtual IP

Fa0/0      2  100 Init unknown unknown unknown

InayathUlla Sharieff Mon, 08/26/2013 - 21:51
User Badges:
  • Cisco Employee,

Dhananjay,

Its working fine for me.


show standby:



                     |

Interface   Grp  Pri P State   Active          Standby         Virtual IP

Fa0/0       1    100   Active  local           192.168.1.152   192.168.1.150

Fa0/0       2    100   Init    unknown         unknown         unknown

Fa0/0       3    100   Init    unknown         unknown         unknown

Fa0/0       4    100   Init    unknown         unknown         unknown

R1#sh standby

FastEthernet0/0 - Group 1

  State is Active

    2 state changes, last state change 00:01:20

  Virtual IP address is 192.168.1.150

  Active virtual MAC address is 0000.0c07.ac01

    Local virtual MAC address is 0000.0c07.ac01 (v1 default)

  Hello time 1 sec, hold time 5 sec

    Next hello sent in 0.616 secs

  Preemption disabled

  Active router is local

  Standby router is 192.168.1.152, priority 100 (expires in 4.188 sec)

  Priority 100 (default 100)

  Group name is "vpnout" (cfgd)

FastEthernet0/0 - Group 2

  State is Init

  Virtual IP address is unknown

    Secondary virtual IP address 192.168.1.130

  Active virtual MAC address is unknown

    Local virtual MAC address is 0000.0c07.ac02 (v1 default)

  Hello time 1 sec, hold time 5 sec

  Preemption disabled

  Active router is unknown

  Standby router is unknown

  Priority 100 (default 100)

  Group name is "hsrp-Fa0/0-2" (default)

FastEthernet0/0 - Group 3

  State is Init

  Virtual IP address is unknown

    Secondary virtual IP address 192.168.1.133

  Active virtual MAC address is unknown

    Local virtual MAC address is 0000.0c07.ac03 (v1 default)

  Hello time 1 sec, hold time 5 sec

  Preemption disabled

  Active router is unknown

  Standby router is unknown

  Priority 100 (default 100)

  Group name is "hsrp-Fa0/0-3" (default)

FastEthernet0/0 - Group 4

  State is Init

  Virtual IP address is unknown

    Secondary virtual IP address 192.168.1.136

  Active virtual MAC address is unknown

    Local virtual MAC address is 0000.0c07.ac04 (v1 default)

  Hello time 1 sec, hold time 5 sec

  Preemption disabled

  Active router is unknown

  Standby router is unknown

  Priority 100 (default 100)

  Group name is "hsrp-Fa0/0-4" (default)

R1#



HTH

Regards

Inayath

dhananjay95929 Tue, 08/27/2013 - 08:45
User Badges:

Do you know why the output shows as "unknown" under the Active, Standby and Virtual IP columns and State as "init" ?


Thanks!

dhananjay95929 Tue, 09/03/2013 - 21:07
User Badges:

I [think] that I figured this out finally. If any one has any thoughts or objections please respond.


There are two ways this can be achieved.


1. Create a secondary standby IP address in the same standby group as the primary standby IP address using the "standby [Primary Grp Num] ip [A.B.C.D] secondary" command.


OR


2. Create a new standby group and specify a standby IP address without the secondary keyword.


There is no need for two additional secondary IP addresses on each router's interface as required for the primary. You can just specify the "standby ip [A.B.C.D] secondary" command where A.B.C.D = secondary standby IP address and let the HSRP process use the interface's primary IP addresses for determining the active and standby routers.


You may configure like this:


For Case 1:


Router 1:

interface FastEthernet0/0

ip address 192.168.1.131 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.134 255.255.255.0 secondary [can exclude this statement]

ip address 192.168.1.137 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.151 255.255.255.0

standby delay minimum 30 reload 60

standby 1 ip 192.168.1.150

standby 1 timers 1 5

standby 1 name vpnout

standby 1 track FastEthernet3/0

standby 1 ip 192.168.1.130 secondary

standby 1 timers 1 5

standby 1 track FastEthernet3/0

standby 1 ip 192.168.1.133 secondary

standby 1 timers 1 5

standby 1 track FastEthernet3/0

standby 1 ip 192.168.1.136 secondary

standby 1 timers 1 5

standby 1 track FastEthernet3/0

crypto map vpnmap redundancy vpnout stateful


Router 2:

interface FastEthernet0/0

ip address 192.168.1.132 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.135 255.255.255.0 secondary [can exclude this statement]

ip address 192.168.1.138 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.152 255.255.255.0

standby delay minimum 30 reload 60

standby 1 ip 192.168.1.150

standby 1 timers 1 5

standby 1 name vpnout

standby 1 track FastEthernet3/0

standby 1 ip 192.168.1.130 secondary

standby 1 timers 1 5

standby 1 track FastEthernet3/0

standby 1 ip 192.168.1.133 secondary

standby 1 timers 1 5

standby 1 track FastEthernet3/0

standby 1 ip 192.168.1.136 secondary

standby 1 timers 1 5

standby 1 track FastEthernet3/0

crypto map vpnmap redundancy vpnout stateful




For Case 2:


Router 1:

interface FastEthernet0/0

ip address 192.168.1.131 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.134 255.255.255.0 secondary [can exclude this statement]

ip address 192.168.1.137 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.151 255.255.255.0

standby delay minimum 30 reload 60

standby 1 ip 192.168.1.150

standby 1 timers 1 5

standby 1 name vpnout

standby 1 track FastEthernet3/0

standby 2 ip 192.168.1.130

standby 2 timers 1 5

standby 2 track FastEthernet3/0

standby 3 ip 192.168.1.133

standby 3 timers 1 5

standby 3 track FastEthernet3/0

standby 4 ip 192.168.1.136

standby 4 timers 1 5

standby 4 track FastEthernet3/0

crypto map vpnmap redundancy vpnout stateful


Router 2:

interface FastEthernet0/0

ip address 192.168.1.132 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.135 255.255.255.0 secondary [can exclude this statement]

ip address 192.168.1.138 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.152 255.255.255.0

standby delay minimum 30 reload 60

standby 1 ip 192.168.1.150

standby 1 timers 1 5

standby 1 name vpnout

standby 1 track FastEthernet3/0

standby 2 ip 192.168.1.130

standby 2 timers 1 5

standby 2 track FastEthernet3/0

standby 3 ip 192.168.1.133

standby 3 timers 1 5

standby 3 track FastEthernet3/0

standby 4 ip 192.168.1.136

standby 4 timers 1 5

standby 4 track FastEthernet3/0

crypto map vpnmap redundancy vpnout stateful



Actions

This Discussion