Gurus please verify this concept and let me know if it will work. Propose any other ideas you may have.
I have a router with dual homed connection to two different ISPs. We're receiving default routes and doing equal cost load balancing using the Cisco hidden command. So, both ISPs needs to be on the router.
I need to setup a second router as a cold standby in case the main router goes bad meaning it totally looses power. The main router will be etherchanneled to each Core eventually when we start to do VSS. So I'll be covered there in case we need to take a core switch down for maintenance.
On R1 main
1. Etherchannel the Main router ports to each core which are running VSS.
2. HSRP on the Lan Side Port channel interface. In that scenario, because of etherchannel, the connection will never switch to the standby router unless both physical interfaces are down.
On R2 failover
1. No etherchannel. 1 interface will be lan with HSRP and the other will be wan trunked.
2. Administratively shutdown the switchport going to the wan interface, so I won't have a duplicate address condition with R1 above. The wan interfaces on both routers will be configured exactly the same.
3. If a HSRP failover occurs, and the standby router becomes active, it needs to do a no shut on the wan interface in order to activate the wan interfaces going to the ISPs.
Can this be done with interface tracking? Are there any better way of doing this?
Will the users notice internet outage downtime when this is taking place?
Is there any way to plan a schedule failover automatically like every 6 mths, to make sure everything with the secondary router is OK?
Thank you in advance for your assistance.
in my view, you would rather automate the loadsharing and failover instead of having cold standby router.
Presuming you are running ebgp with both ISP using private ASN,
ISP1 to R1 and ISP2 to R2 and interlink R1 and R2 on the LAN.
Run ebgp to ISP1 n R1 and ebgp to ISP2 n R2
ibgp between R1 and R2.
There is a command maximum-path eibgp to load share traffic using ebgp and ibgp learned routes.
I see an important point of attention here.
>> The wan interfaces on both routers will be configured exactly the same.
If the WAN interfaces are LAN interfaces and the standby router has the same IP address of primary router the switchover to secondary involves the ARP tables of ISPs devices.
Until the ISP devices have the old ARP entry no communication is possible with the just inserted standby router and this would cause an extended out of service.
So if you really want to implement a redundancy strategy like this you should:
- use an HSRP group also on WAN interfaces of both primary and standby routers
- have eBGP sessions terminated on WAN side HSRP VIP address
- have the WAN Side HSRP group that tracks the state of the LAN side HSRP group and viceversa.
HSRP solves the ARP issue because:
the HSRP VIP for a group uses a well defined MAC address
in case of HSRP state change the new active router sends out a gratuitous ARP and uses the same IP address and the SAME MAC address of previous active router -> no need for changing the ARP entry on the ISP devices.
If NAT is part of the tasks performed by your routers, the stateful NAT feature can be the right feature to use in this scenario as it performs the points described above in addtion to maintaining a list of NAT translations on both devices.
Also the WAN side interface of standby router could be in operational mode instead of being kept in shutdown.
Hope to help
Thanks for replying. I like the idea of leaving the wan links up on the standby router. I need some clarification on the ARP issue you mentioned.
Let's say the traffic from the LAN side is on vlan 5, and the Wan traffic one vlan for each isp are on 10 and 20.
Just to make sure I'm understanding right. HSRP will only activate the standby router if the etherchannel is down. such an event would bring all 3 vlans down and go to the standby router.
Are you saying that besides the lan standby address for vlan 5, that I create 2 other standby addresses for vlans 10 and 20 and use that address as my ISP's peer/neighbor address and leave all interfaces up on the standby router?
Do I need to do interface tracking if I'm doing etherchanel for all 3 vlans on the main router?
>> Are you saying that besides the lan standby address for vlan 5, that I create 2 other standby addresses for vlans 10 and 20 and use that address as my ISP's peer/neighbor address and leave all interfaces up on the standby router?
yes, this is the idea to terminate the BGP sessions on the HSRP VIP for WAN facing Vlans 10 and 20 in this way in case of switchover ISP devices ARP tables are correct also after switchover as the MAC address does not change.
And ISP devices are not under your control so there is no script that can cause them to refresh their ARP table when you perform switchover.
>> Do I need to do interface tracking if I'm doing etherchanel for all 3 vlans on the main router?
yes, you need to track the state of the etherchannel on all HSRP groups if the all 3 vlans are indeed Vlan based subinterfaces of the portchannel interface ( L3 port channel with subinterfaces If I have correctly understood)
Hope to help