my isp assigned me follwoing IPs on single fiber link. currently there is not primary and secondary IPs. currently i am using  50.2.3.14 to my wan link and 50.2.3.49 – 62 and 50.20.7.1 – 62 IPs for NATing to my hosted servers. my ISP routed all traffic coming for 50.2.3.49 – 62 and 50.20.7.1 on 50.2.3.14.  now i want to config HSRP on my WAN link for hardware failover, now i am using 50.2.3.49 on R1 and 50.2.3.50 on R2 and i also setup virtual ip 50.2.3.14. my config as below.

IPs                   Subnet mask                                Gateway

50.2.3.14           255.255.255.252                           50.2.3.13               

50.2.3.49 – 62    255.255.255.240

50.20.7.1 – 62    255.255.255.192

R1

interface FastEthernet0/0/1

ip address 50.2.3.49 255.255.255.240

ip nat outside

ip virtual-reassembly in

standby 1 ip 50.2.3.14

standby 1 ip 50.2.3.51 secondary

standby 1 ip 50.2.3.52 secondary

standby 1 ip 50.2.3.53 secondary

standby 1 ip 50.2.3.54 secondary

standby 1 ip 50.2.3.55 secondary

standby 1 ip 50.2.3.56 secondary

standby 1 ip 50.20.7.1 secondary

standby 1 ip 50.20.7.2 secondary

standby 1 ip 50.20.7.3 secondary

standby 1 ip 50.20.7.4 secondary

R2

interface FastEthernet0/0/1

ip address 50.2.3.50 255.255.255.240

ip nat outside

ip virtual-reassembly in

standby 1 ip 50.2.3.14

standby 1 ip 50.2.3.51 secondary

standby 1 ip 50.2.3.52 secondary

standby 1 ip 50.2.3.53 secondary

standby 1 ip 50.2.3.54 secondary

standby 1 ip 50.2.3.55 secondary

standby 1 ip 50.2.3.56 secondary

standby 1 ip 50.20.7.1 secondary

standby 1 ip 50.20.7.2 secondary

standby 1 ip 50.20.7.3 secondary

standby 1 ip 50.20.7.4 secondary

It makes good sense to have a /30 subnet assigned for the WAN connection to your ISP and to have additional subnets used to NAT for your servers. I can understand that you might want to have hardware redundancy for your WAN connection. If you want that then as I suggested in my previous post the best thing for you is to negotiate with the ISP to have enough addresses in the WAN subnet to do HSRP. Trying to use addresses from your NAT range for HSRP does not make such good sense.

I see what you have posted as interface configuration but have difficulty believing that it is actually configured on an interface. Every version of IOS that I have used would reject this command standby 1 ip 50.2.3.14 as invalid if the standby address were in a subnet different from the interface primary address.

HTH

Rick

if my ISP does not help me in WAN IPs (50.2.3.14/30 to 50.2.3.14/29) then what would be the possible solution. i am using 151-4.M4 IOS. when i try to assign different subnet ip i get %warning “Address is not within a subnet on this interface” and when i run show standby i get 

FastEthernet0/0/1 - Group 1

  State is Init (interface down)

  Virtual IP address is 50.2.3.14 (wrong subnet for this interface)

    Secondary virtual IP address 50.2.3.51

    Secondary virtual IP address 50.2.3.52

    Secondary virtual IP address 50.2.3.53

    Secondary virtual IP address 50.2.3.54

    Secondary virtual IP address 50.2.3.55

    Secondary virtual IP address 50.2.3.56

    Secondary virtual IP address 50.20.7.1 (wrong subnet for this interface)

    Secondary virtual IP address 50.20.7.2 (wrong subnet for this interface)

    Secondary virtual IP address 50.20.7.3 (wrong subnet for this interface)

    Secondary virtual IP address 50.20.7.4 (wrong subnet for this interface)

Firstly when using IPs for NAT you do not need to assign them to an interface. The IPs only need to be routed to your router so you do not need all those secondary IP statements. For the IPs you use for NAT you simply need NAT statements on the router and if using an acl inbound obviously you need to allow the traffic through.

As for the /30 subnet which is used for your connection to the ISP you can't really do anything as Rick has said. You need a /29 if you want to run HSRP. You could either ask your ISP to increase the /30 subnet or negotiate with them for a new /29 subnet. if you use a new subnet both you and the ISP will need to readdress their respective router interfaces.

Jon

You ask "if my ISP does not help me in WAN IPs ". My response is that if your ISP does not help you with WAN IPs then there is not any alternative in which you can run HSRP.

You have asked pretty much this same question in several different ways. Jon and I have attempted to answer them and the answer consistently is that HSRP is not something that you can do on your own. It requires that the ISP route the IP addresses assigned to you with at least a /29 WAN subnet. If the ISP does this then it is possible for you to run HSRP. And if the ISP does not then it is not possible for you to run HSRP.

HTH

Rick

Thank you all, specially Richard who always describe in detail , i am in contact with my ISP and hope for the best.

Finally I got 50.204.25.8/29 subnet IPs from ISP and I have 50.2.3.49 – 62 and 50.20.7.1 – 62.  As I mentioned in my previous post, ISP routed all traffic coming for 50.2.3.49–62 and 50.20.7.1–62 to 50.2.3.14. now they have changed the IP to 50.204.25.10 which is working fine now. Now my question is do I need to use different Standby group id for each subnet or I can use same standby group id for all subnets. Following is my config which I thought is correct. Please let me know if I am wrong. Thanks for all of you.

IPs                              Subnet mask                                Gateway

50.204.25.10           255.255.255.248                           50.204.25.9            

50.2.3.49 – 62        255.255.255.240

50.20.7.1 – 62       255.255.255.192

R1

interface FastEthernet0/0/1

ip address 50.204.25.11 255.255.255.248

ip address 50.2.3.50 255.255.255.240 secondary

ip address 50.20.7.2 255.255.255.192 secondary

ip nat outside

ip virtual-reassembly in

standby 1 ip 50.204.25.10

standby 1 ip 50.204.25.13 secondary

standby 1 ip 50.204.25.14 secondary

standby 2 ip 50.2.3.49

standby 2 ip 50.2.3.52 secondary

standby 2 ip 50.2.3.53 secondary

standby 2 ip 50.2.3.54 secondary

standby 3 ip 50.20.7.1

standby 3 ip 50.20.7.4 secondary

standby 3 ip 50.20.7.5 secondary

standby 3 ip 50.20.7.6 secondary

R2

interface FastEthernet0/0/1

ip address 50.204.25.12 255.255.255.248

ip address 50.2.3.51 255.255.255.240 secondary

ip address 50.20.7.3 255.255.255.192 secondary

ip nat outside

ip virtual-reassembly in

standby 1 ip 50.204.25.10

standby 1 ip 50.204.25.13 secondary

standby 1 ip 50.204.25.14 secondary

standby 2 ip 50.2.3.49

standby 2 ip 50.2.3.52 secondary

standby 2 ip 50.2.3.53 secondary

standby 2 ip 50.2.3.54 secondary

standby 3 ip 50.20.7.1

standby 3 ip 50.20.7.4 secondary

standby 3 ip 50.20.7.5 secondary

standby 3 ip 50.20.7.6 secondary

Perhaps I am still not understanding what you are trying to achieve. But I think that this config is not correct. For one thing you can do the primary address and all of the secondary addresses in a single HSRP group. So I do not see anything that  needs more than one group. Also one of the subnets will be primary and the other subnets will be secondary. But you are configuring an address as primary and then several other addresses within the same subnet as secondary. This is not how it is supposed to be done.

HTH

Rick

I am configuring an IP address (on Interface) and then i am configuring other (same subnet) IPs as secondary in Standby group so that all IPs stay in same MAC address created by HSRP.

Thank you for the explanation of what you are trying to accomplish. I am not certain but I suspect that it will not work. If you are going to try to do this I would suggest that you try configuring it with each IP address in its own HSRP group.

HTH

Rick