Solved: Re: HSRP with two virtual IP address on the same subnet

caminantedevida · ‎01-10-2020

Hello everyone,

Does someone know if it is possible have 4 routers connected via a switch on the same subnet /27 and have 2 routers doing HSRP and the other 2 routers doing HSRP with the same ip address subnets?

Example:

RT01-Internet : 121.242.175.226/27 Virtual HSRP ip: 121.242.175.225

RT02-Internet :121.242.175.227/27

SWITCH

RT01-VPN: 121.242.175.229/27 Virtual HSRP ip: 121.242.175.228

RT02-VPN: 121.242.175.230/27

I am introducing a new Backups Internet and VPN routers. Internet router currently use 121.242.175.225 and I want to convert this ip as Virtual HSRP so all LAN will use this IP to go towards internet.

Also I want to keep the IP address of the VPN router so i do not need to change the public destination ip add of the remote vpn tunnels. If the primary VPN router fails then the backup vpn router will use the same public ip as a source address.

Regards.

Fabian Alvarado.

Richard Burts · ‎01-11-2020

Fabian asks a question about having 4 routers in a subnet all running HSRP. @Jaderson Pessoa correctly says yes this is possible and suggests a solution with 2 HSRP groups. I agree that this is possible. But I am not sure that it will be an effective solution for what Fabian wants to achieve. If I am understanding the original post correctly he wants to achieve failover for traffic going to the Internet and also achieve failover for traffic going to VPN. I do not see how 2 HSRP groups will achieve this. Using 2 HSRP groups will result in one set of PCs using 225 as their default gateway while another set of PCs will use 228 as their default gateway. How will it work if a PC using 225 as its gateway wants to send VPN traffic? Or how will it work if a PC using 228 as its gateway wants to send traffic to the Internet?

It seems to me that HSRP for Internet access is a good step. I am not sure that HSRP for VPN would be effective. I would suggest that a better solution for VPN is some routing logic that sends traffic for VPN to one or both of the VPN routers. Providing a primary/active router for VPN and a backup/standby router could be achieved by a dynamic routing protocol that detects which router has the best path to the VPN peers.

As a follow up Fabian asks "Also, do you know if it is posible to have the HSRP virtual IP as a source of the VPN/GRE tunnels configured like this:". In my experience it is not possible to have HSRP as the source of a VPN/GRE tunnel. I would also point out that the HSRP he is suggesting is for the interface connecting to the users. The source of a VPN/GRE tunnel is usually the outbound interface and not the interface connecting to users.

HTH

Rick

HTH

Rick

View solution in original post

Jaderson Pessoa · ‎01-14-2020

This is was i understood.. and it works, i've have implemented many vpn site to site using VIP to high availability.

Jaderson Pessoa
*** Rate All Helpful Responses ***

View solution in original post

Jaderson Pessoa · ‎01-10-2020

@caminantedevida Hello,

Yes, you can do it using different groups under HSRP, for exemple.

RT01-INTERNET:
interface g0/0
ip address 121.242.175.226 255.255.255.224
standby 10 ip 121.242.175.225
standby 10 timers 1 3
standby 10 priority 120
standby 10 preempt

RT02-INTERNET:
interface g0/0
ip address 121.242.175.227 255.255.255.224
standby 10 ip 172.17.136.1
standby 10 timers 1 3
standby 10 priority 120
standby 10 preempt

RT01- VPN:
interface g0/0
ip address 121.242.175.229 255.255.255.224
standby 20 ip 121.242.175.228
standby 20 timers 1 3
standby 20 priority 120

standby 20 preempt

RT02-VPN:
interface g0/0
ip address 121.242.175.230 255.255.255.224
standby 20 ip 121.242.175.228
standby 20 timers 1 3
standby 20 priority 120
standby 20 preempt

you also can use password between peers to get more security.

Regards,

Jaderson Pessoa
*** Rate All Helpful Responses ***

caminantedevida · ‎01-10-2020

Hi Jaderson,

Thank you!!! That will help me a lot.

I am just wondering why the RT02-INTERNET is : standby 10 ip 172.17.136.1? Can it instead be : standby 10 ip 121.242.175.225?

Also, do you knokw if it is posible to have the HSRP virtual IP as a source of the VPN/GRE tunnels configured like this:

I think with this config the tunnels of the backup VPN router will be down and if the Primary VPN router fail, then the tunel will be re-stablished on the Backup vpn. Is this true?

RT01- VPN

interface Tunnel177

ip address 172.30.240.178 255.255.255.252

....

tunnel source 121.242.175.226

tunnel destination 198.178.234.2

crypto map MBVPN

RT02- VPN

interface Tunnel177

ip address 172.30.240.178 255.255.255.252

....

tunnel source 121.242.175.226

tunnel destination 198.178.234.2

crypto map MBVPN

Thanks in advance.

Fabian.

Jaderson Pessoa · ‎01-10-2020

@caminantedevida

I am just wondering why the RT02-INTERNET is : standby 10 ip 172.17.136.1? Can it instead be : standby 10 ip 121.242.175.225?

R: Yes man, i wrote wrong hahah... the correct address is: 121.242.175.225

Also, do you knokw if it is posible to have the HSRP virtual IP as a source of the VPN/GRE tunnels configured like this:

I think with this config the tunnels of the backup VPN router will be down and if the Primary VPN router fail, then the tunel will be re-stablished on the Backup vpn. Is this true?

R: Yes, it is true... dont forget to configure the correct priority under hsrp to correct router work as active, higher priority is better to be active, also is necessary to configure crypto map on both routers.

Regards,

Please, mark as solved and helpful all posts that helped you. it will help other users that having the same doubt.

Jaderson Pessoa
*** Rate All Helpful Responses ***

caminantedevida · ‎01-14-2020

Hi Rick,

Thank you for your answer. The virtual ip of the VPN routers is not a gateway for internal PCs. This IP will be the destination IP address of the remote tunnels, so they will try to reach the VPN virtual IP, this means tunnel traffic will come from internet and then the Internet router will forward the packet to the 121.242.175.226 (virtual ip of the active VPN router)

The virtual IP of the internet routers will be for LAN devices as gateway that want to go to internet, this is in-out traffic and the VPN one is out-in.

With this information, do you think is it possible? I can provide more info.

Thanks in advance.

Fabian.

Richard Burts · ‎01-11-2020

Fabian asks a question about having 4 routers in a subnet all running HSRP. @Jaderson Pessoa correctly says yes this is possible and suggests a solution with 2 HSRP groups. I agree that this is possible. But I am not sure that it will be an effective solution for what Fabian wants to achieve. If I am understanding the original post correctly he wants to achieve failover for traffic going to the Internet and also achieve failover for traffic going to VPN. I do not see how 2 HSRP groups will achieve this. Using 2 HSRP groups will result in one set of PCs using 225 as their default gateway while another set of PCs will use 228 as their default gateway. How will it work if a PC using 225 as its gateway wants to send VPN traffic? Or how will it work if a PC using 228 as its gateway wants to send traffic to the Internet?

It seems to me that HSRP for Internet access is a good step. I am not sure that HSRP for VPN would be effective. I would suggest that a better solution for VPN is some routing logic that sends traffic for VPN to one or both of the VPN routers. Providing a primary/active router for VPN and a backup/standby router could be achieved by a dynamic routing protocol that detects which router has the best path to the VPN peers.

As a follow up Fabian asks "Also, do you know if it is posible to have the HSRP virtual IP as a source of the VPN/GRE tunnels configured like this:". In my experience it is not possible to have HSRP as the source of a VPN/GRE tunnel. I would also point out that the HSRP he is suggesting is for the interface connecting to the users. The source of a VPN/GRE tunnel is usually the outbound interface and not the interface connecting to users.

HTH

Rick

HTH

Rick

caminantedevida · ‎01-14-2020

Hi Rick

Thank you for your answer. The virtual IP of the VPN routers is not a gateway for internal PCs. This IP will be the destination IP address of the remote tunnels, so they will try to reach the VPN virtual IP, this means tunnel traffic will come from internet and then the Internet router will forward the packet to the 121.242.175.226 (virtual ip of the active VPN router)

The virtual IP of the internet routers will be for LAN devices as gateway that want to go to internet, this is in-out traffic and the VPN one is out-in.

With this information, do you think is it possible? I can provide more info.

Thanks in advance.

Fabian.

Jaderson Pessoa · ‎01-14-2020

This is was i understood.. and it works, i've have implemented many vpn site to site using VIP to high availability.

Jaderson Pessoa
*** Rate All Helpful Responses ***

caminantedevida · ‎01-14-2020

Thank you Jaderson Pessoa!!!

You are a machine!!! Thanks for the answer.