Currently I have a 7200 Series Router configured in a point to point connection with my ISP's Juniper router. I have another 7200 router with the same config turned off waiting in case the primary fails.
I would like to make use of the offline router and configure them both using HSRP.
The problem: The running router cannot go offline.
Is it possible to configure HSRP on both routers with minimal or no down time? I realize I will have to make the current IP in the point to point connection the Virtual IP.
The Layout: I have only one 100 Mbps Ethernet connection into the router from the ISP.
Can I put this connection into a switch, configure the two routers for HSRP, and connect the routers into the switch (below)? Both router will have the same default route of the ISP's Juniper Router.
| 100 Mbps Ethernet
Gigabit Switch with not other cables beside the three
Yes ofcourse you can do that and it will be better to leave the default timers for HSRP which is 10 seconds of hold timer and 3 seconds of hello timer. In this situation you will face a maximum down time of 10 seconds only.
Problem will be if your lan interface goes down and users connecting to lan will still try to reach its gateway which is down. So it will be good to run HSRP on lan side also and have the users virtual ip which is on your lan as their gateway.
HSRP on the interface to the ISP is an interesting idea and may be feasible if the interface is a LAN interface. So if the interface from the ISP is 100Mb Ethernet it would seem feasible to connect through a switch and run HSRP.
One constraint to consider is the address space that is available. To run HSRP you will need 3 addresses on your end (an address for rtr1, an address for rtr2, and the shared address). The original post referred to the connection as point to point. If the provider assigned address has a /30 mask then only 1 address is available on the customer end and HSRP is not feasible. If the mask is /29 (or anything smaller) then there should be enough addresses and HSRP may be feasible.
So, configure HSRP on both internal and external interfaces?
What about down time? I will have to reassign the interface IP address and make the gateway address (internal) the virtual IP. Will the router send out a gratuitous Arp to notifiy firewall behind it of the MAC change?
Whether HSRP makes good sense on the internal interfaces depends on what is connected on the internal interfaces (is it a firewall, is it other routers, is it a switch, etc), what the network topology is like, whether there is dynamic routing for the internal network or is it statically routed, and probably some other things.
Remember that HSRP is essentially a mechanism to provide redundancy at layer 2 (two layer 2 devices share a single layer 3 address). Its promary purpose was to provide failover capability for end stations on a LAN who have a single default gateway. It can also be useful when there is static routing to a single next hop address and you want redundancy for that address.
So tell us a bit more about what the internal network is like and we may have better answers about whether HSRP would be advised on the internal interface.
As far as down time is concerned, I do not see any way to have no down time. You will have to disconnect the existing connection, connect the ISP link to the switch, connect the switch to the pair of 7200 routers. That will produce some down time. There are some things that you can do to minimize the down time: you can configure the switch ahead of time and get it into position; you can change the configuration of the second 7200 and have it in position ready to go. But I think there will be down time for changing the connection, and for changing the configuration of the primary 7200.
Currently we use static routes. There are two networks behind two firewalls and they are both connected into a 'DMZ' switch. The router is also plugged into the 'DMZ' switch. All the devices in the 'DMZ' are configured with public IPs all of which have a default gateway of the router. I am fortunate that I am moving into a new COLO and get to design the new network. I am trying to go with the Cisco heirarchical design (Core, Distribution, Access) model.
I understand your view on the down time. If everything is setup before hand I should be able to move a few cables and change the IP address of the Interface on the primary and be good to go..
My next question is what to place below the HSRP routers. If I go with a single switch it's easy. I won't have to change anything. Or do I go with two switches each on connected to the Ethernet interface of each router? See attachment. This way I could connect the individual networks (adding two more) below each switch on the bottom row. Each switch represents a different network behind a firewall. The problem here which I haven't worked out yet is if one of these switches fail the particular network is offline until a spare is put online. However, right now if I loose the DMZ switch mentioned above I loose all connectivity. I hope this makes sense. I didn't mean to get off track but I am starting at the top and working my way down to the access layer and one depends on the next.
If your internal network connections to the 7200(s) are based on static routes then it probably makes good sense to configure HSRP on both the external and internal interfaces of the 7200s.
The question of whether to connect the 7200s to a single switch or to a pair of switches (which would need to be trunked together) is an interesting question. In answering this question you will need to consider the benefits of having redundant hardware in the switches compared to the added risk of having additional devices (and additional potential points of failure), and the differences in complexity that dual switches introduce against the added protection that having redundant switches would provide.
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts The ProblemOn traditional
switches whenever we have a trunk interface we use the VLAN tag to
demultiplex the VLANs. The switch needs to determine which MAC ...
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts Introduction: Netdr is a tool
available on a RSP720, Sup720 or Sup32 that allows one to capture
packets on the RP or SP inband. The netdr command can be use...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...