Hi Georg,

Why is it not a good idea?

Our current setup is... We have ISP1 and ISP2 and would like to set both router with HSRP for redundancy. for our DMVPN, we have 2 tunnels on each router and our routing protocols is EIGRP

Router 1:

Tunnel898 - 192.168.151.1 (ISP2)

Tunnel899 - 192.168.251.1 (ISP1)

Router 2:

Tunnel998 - 192.168.152.1 (ISP2)

Tunnel999 - 192.168.252.1 (ISP1)

On our spokes we have all four tunnels configured with EIGRP.

Orlando

Hello,

the problem with HSRP on WAN interfaces is that you probably won't be able to get an IP address from the same address space, from two different providers. How are you going to set the standby IP ?

We have both our ISP provide us with the following IP address:

Router 1:

ISP1:

IP Address: A.B.C.211

Standby IP: A.B.C.210

ISP2:

IP Address: E.F.G.54

Standby IP: E.F.G.53

Router 2:

ISP1:

IP Address: A.B.C.212

Standby IP: A.B.C.210

ISP2:

IP Address: E.F.G.55

Standby IP: E.F.G.53

Orlando

We were able to acquire a class c subnet from ARIN that we can now use for both our 2 different providers.

Here is our current router config:

!
interface GigabitEthernet0/0/0
 description Primary ISP
 ip address AAA.BBB.CCC.133 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 zone-member security sz_outside
 standby 1 ip AAA.BBB.CCC.132
 standby 1 priority 110
 standby 1 preempt
 standby 2 ip AAA.BBB.CCC.135
 standby 2 priority 110
 standby 2 preempt
 negotiation auto
 no lldp transmit
 no lldp receive

 no cdp enable

!

!
interface Tunnel777
 description Primary Tunnel 
 ip address 192.168.250.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip hello-interval eigrp 714 10
 ip hold-time eigrp 714 30
 no ip next-hop-self eigrp 714
 no ip split-horizon eigrp 714
 ip pim nbma-mode
 ip pim sparse-mode

 ip nhrp authentication  XXXXXXXX
 ip nhrp network-id 5964837
 ip nhrp holdtime 360
 zone-member security sz_dmvpn
 ip tcp adjust-mss 1360
 delay 500
 tunnel source GigabitEthernet0/0/0
 tunnel mode gre multipoint
 tunnel key 5
 tunnel protection ipsec profile dmvpn shared

!

Can I use the standby IP addresses as the tunnel source?

Cheers,

Hi Orlando,

To answer your question HSRP will not work on the Tunnel. This is because DMVPN does not resolve next-hop via ARP as you usually need in HSRP, instead DmVPN uses NHRP to resolve the next-hop which is the Tunnel primary IP to the NBMA address.

Also with dynamic routing protocol will select the tunnel IP as the next-hop in RIB as oppose to HSRP standby IP.

Hit me up with a star if you find this helpful.

- 

Sebastian

But we are using NHRP on our DMVPN tunnels pointing to the IP primary external IP address with is I configured as the standby IP address on the HSRP between our 2 routers. Can you take a look at my configurations that I have attached below?

Hi,

DMVPN with a HSRP will work as long as the Hub routers are in the same subnet for their respective ISP connections. Also the Tunnel source on the Hub routers must have the source as the WAN interface Standby IP and not the WAN physical IP. From your config, I see Hub 1 router Tunnel source Gi0/0/0 and Gi0/0/1 for the 2 tunnel interfaces, which will cause the tunnels to fail, as the Hub will generate NHRP packets using the physical IP and not the VIP.

I really see no advantage of using HSRP, as DMVPN with routing provides the redundancy, and you have options for Active/Active or Active standby using Enhanced Object Tracking, DMVPN health monitoring, NHS Cluster design, Routing Traffic steering and so on.

If you have to pay your ISPs for the VIP, then that's a wasted cost, in my opinion.

May I ask why you have 4 tunnels configured? I would think 2 tunnels for each ISP WAN would suffice.

Grabonlee,

We have 2 ISP and created 2 tunnels for each ISP as redundancy connections for our retail stores with 4 tunnels with Tunnel899 connecting to one of the hub ISP and Tunnel999 connecting to the other hub ISP using the store main ISP circuit. The other 2 Tunnels are Tunnel898 using the store backup cellular connection to the same ISP as Tunnel899 and Tunnel998 also as redundancy through the cellular backup connection at the store.

Orlando

Ok,

My guess is that you want the tunnels that use the cellular connection to only become active when the primary/secondary tunnels go down?

I don't think you really need HSRP on the WAN side. Enhance Object Tracking can do this for you. You can then automate the cellular interface shut/no shut using EEM depending on the state of the primary/secondary tunnels

For example, your tracked objects would be 899 and 999;

track 899 interface tunnel 899 line-protocol

track 999 interface tunnel 999 line-protocol

Then create a Boolean (OR) object list. For example,

track 400 list Boolean or

 object 899

 object 999

 delay 20

Next would be to use EEM based on track 400 to automate the activation or deactivation of the cellular interface.

HSRP with EOT can be used on the Access layer side to track when the primary router is down.

My advice is to read up EOT and EEM and test in a lab before you move into production.

Just my 2 cents. Maybe someone else has a better solution.

We are actually using Enhance Object Tracking already for both our Tunnel 899 and Tunnel 999.

You have EOT on your tunnels, so I'm not sure what your concern really is about. Since your ISPs gave you VIPs, I have already indicated that your Hub tunnel source needs to be the VIP in the tunnel interface configuration and not the physical interface as was shown in your attached Hub Router 1 config.

Maybe you need to summarize you current setup and what you want to achieve that isn't in your current setup.