01-10-2020 03:00 AM
Hello everyone,
Does someone know if it is possible have 4 routers connected via a switch on the same subnet /27 and have 2 routers doing HSRP and the other 2 routers doing HSRP with the same ip address subnets?
Example:
RT01-Internet : 121.242.175.226/27 Virtual HSRP ip: 121.242.175.225
RT02-Internet :121.242.175.227/27
SWITCH
RT01-VPN: 121.242.175.229/27 Virtual HSRP ip: 121.242.175.228
RT02-VPN: 121.242.175.230/27
I am introducing a new Backups Internet and VPN routers. Internet router currently use 121.242.175.225 and I want to convert this ip as Virtual HSRP so all LAN will use this IP to go towards internet.
Also I want to keep the IP address of the VPN router so i do not need to change the public destination ip add of the remote vpn tunnels. If the primary VPN router fails then the backup vpn router will use the same public ip as a source address.
Regards.
Fabian Alvarado.
Solved! Go to Solution.
01-11-2020 10:45 AM
Fabian asks a question about having 4 routers in a subnet all running HSRP. @Jaderson Pessoa correctly says yes this is possible and suggests a solution with 2 HSRP groups. I agree that this is possible. But I am not sure that it will be an effective solution for what Fabian wants to achieve. If I am understanding the original post correctly he wants to achieve failover for traffic going to the Internet and also achieve failover for traffic going to VPN. I do not see how 2 HSRP groups will achieve this. Using 2 HSRP groups will result in one set of PCs using 225 as their default gateway while another set of PCs will use 228 as their default gateway. How will it work if a PC using 225 as its gateway wants to send VPN traffic? Or how will it work if a PC using 228 as its gateway wants to send traffic to the Internet?
It seems to me that HSRP for Internet access is a good step. I am not sure that HSRP for VPN would be effective. I would suggest that a better solution for VPN is some routing logic that sends traffic for VPN to one or both of the VPN routers. Providing a primary/active router for VPN and a backup/standby router could be achieved by a dynamic routing protocol that detects which router has the best path to the VPN peers.
As a follow up Fabian asks "Also, do you know if it is posible to have the HSRP virtual IP as a source of the VPN/GRE tunnels configured like this:". In my experience it is not possible to have HSRP as the source of a VPN/GRE tunnel. I would also point out that the HSRP he is suggesting is for the interface connecting to the users. The source of a VPN/GRE tunnel is usually the outbound interface and not the interface connecting to users.
HTH
Rick
01-14-2020 06:00 AM
01-10-2020 04:01 AM - edited 01-10-2020 04:03 AM
@caminantedevida Hello,
Yes, you can do it using different groups under HSRP, for exemple.
RT01-INTERNET:
interface g0/0
ip address 121.242.175.226 255.255.255.224
standby 10 ip 121.242.175.225
standby 10 timers 1 3
standby 10 priority 120
standby 10 preempt
RT02-INTERNET:
interface g0/0
ip address 121.242.175.227 255.255.255.224
standby 10 ip 172.17.136.1
standby 10 timers 1 3
standby 10 priority 120
standby 10 preempt
RT01- VPN:
interface g0/0
ip address 121.242.175.229 255.255.255.224
standby 20 ip 121.242.175.228
standby 20 timers 1 3
standby 20 priority 120
standby 20 preempt
RT02-VPN:
interface g0/0
ip address 121.242.175.230 255.255.255.224
standby 20 ip 121.242.175.228
standby 20 timers 1 3
standby 20 priority 120
standby 20 preempt
you also can use password between peers to get more security.
Regards,
01-10-2020 10:34 AM
Hi Jaderson,
Thank you!!! That will help me a lot.
I am just wondering why the RT02-INTERNET is : standby 10 ip 172.17.136.1? Can it instead be : standby 10 ip 121.242.175.225?
Also, do you knokw if it is posible to have the HSRP virtual IP as a source of the VPN/GRE tunnels configured like this:
I think with this config the tunnels of the backup VPN router will be down and if the Primary VPN router fail, then the tunel will be re-stablished on the Backup vpn. Is this true?
RT01- VPN
interface Tunnel177
ip address 172.30.240.178 255.255.255.252
....
tunnel source 121.242.175.226
tunnel destination 198.178.234.2
crypto map MBVPN
RT02- VPN
interface Tunnel177
ip address 172.30.240.178 255.255.255.252
....
tunnel source 121.242.175.226
tunnel destination 198.178.234.2
crypto map MBVPN
Thanks in advance.
Fabian.
01-10-2020 11:15 AM - edited 01-10-2020 11:19 AM
I am just wondering why the RT02-INTERNET is : standby 10 ip 172.17.136.1? Can it instead be : standby 10 ip 121.242.175.225?
R: Yes man, i wrote wrong hahah... the correct address is: 121.242.175.225
Also, do you knokw if it is posible to have the HSRP virtual IP as a source of the VPN/GRE tunnels configured like this:
I think with this config the tunnels of the backup VPN router will be down and if the Primary VPN router fail, then the tunel will be re-stablished on the Backup vpn. Is this true?
R: Yes, it is true... dont forget to configure the correct priority under hsrp to correct router work as active, higher priority is better to be active, also is necessary to configure crypto map on both routers.
Regards,
Please, mark as solved and helpful all posts that helped you. it will help other users that having the same doubt.
01-14-2020 05:27 AM
Hi Rick,
Thank you for your answer. The virtual ip of the VPN routers is not a gateway for internal PCs. This IP will be the destination IP address of the remote tunnels, so they will try to reach the VPN virtual IP, this means tunnel traffic will come from internet and then the Internet router will forward the packet to the 121.242.175.226 (virtual ip of the active VPN router)
The virtual IP of the internet routers will be for LAN devices as gateway that want to go to internet, this is in-out traffic and the VPN one is out-in.
With this information, do you think is it possible? I can provide more info.
Thanks in advance.
Fabian.
01-11-2020 10:45 AM
Fabian asks a question about having 4 routers in a subnet all running HSRP. @Jaderson Pessoa correctly says yes this is possible and suggests a solution with 2 HSRP groups. I agree that this is possible. But I am not sure that it will be an effective solution for what Fabian wants to achieve. If I am understanding the original post correctly he wants to achieve failover for traffic going to the Internet and also achieve failover for traffic going to VPN. I do not see how 2 HSRP groups will achieve this. Using 2 HSRP groups will result in one set of PCs using 225 as their default gateway while another set of PCs will use 228 as their default gateway. How will it work if a PC using 225 as its gateway wants to send VPN traffic? Or how will it work if a PC using 228 as its gateway wants to send traffic to the Internet?
It seems to me that HSRP for Internet access is a good step. I am not sure that HSRP for VPN would be effective. I would suggest that a better solution for VPN is some routing logic that sends traffic for VPN to one or both of the VPN routers. Providing a primary/active router for VPN and a backup/standby router could be achieved by a dynamic routing protocol that detects which router has the best path to the VPN peers.
As a follow up Fabian asks "Also, do you know if it is posible to have the HSRP virtual IP as a source of the VPN/GRE tunnels configured like this:". In my experience it is not possible to have HSRP as the source of a VPN/GRE tunnel. I would also point out that the HSRP he is suggesting is for the interface connecting to the users. The source of a VPN/GRE tunnel is usually the outbound interface and not the interface connecting to users.
HTH
Rick
01-14-2020 05:30 AM
Hi Rick
Thank you for your answer. The virtual IP of the VPN routers is not a gateway for internal PCs. This IP will be the destination IP address of the remote tunnels, so they will try to reach the VPN virtual IP, this means tunnel traffic will come from internet and then the Internet router will forward the packet to the 121.242.175.226 (virtual ip of the active VPN router)
The virtual IP of the internet routers will be for LAN devices as gateway that want to go to internet, this is in-out traffic and the VPN one is out-in.
With this information, do you think is it possible? I can provide more info.
Thanks in advance.
Fabian.
01-14-2020 06:00 AM
01-14-2020 07:08 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide