Hello,

Thank you for the reply... I found this on Cisco's web site ( below) on faq, so i know it happens but. Your asking for more information, like what ? I can provide whatever you need?

My setup is pretty simple i have two isp drops to same pop each line is 100mbps their sharing a vip to the gw of my firewall . I have ibgp and ebgp setup so the routing HA is working along with hardware.  When all out bound traffic leaves the firewall it goes to the vip like it should , but when the traffic comes back( according to the bandwidth logs) it returns to my standby router. I also want to add I have no pbr setup. Hope this clears thing up a bit. Thank You again.

 I use HSRP and all hosts use the active router to forward traffic to the rest of my network. I have noticed that the return traffic comes back through the standby router. Will this cause problems with HSRP or my applications?

A. No, normally this is transparent to all hosts and/or servers on the LAN and can be desirable if a router experiences high traffic. In order to change this, configure a more desirable cost for the link you want the distant router/routers to use.

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Again, unless you're also using HSRP for your from the internet traffic, LAN facing HSRP doesn't have anything to do with return traffic.  Normally, return traffic picks its path based on routing.

However, if you are using HSRP on you return traffic side, such as perhaps facing your FW which has a static route toward your routers' HSRP, what you can do (on later routers, like your 2900) is use mHSRP to configure two IPs, one as primary on each router, the other router providing it as backup, and then have two static routes, on FW, one to each mHSRP IP.

So you have a firewall connected to two outside routers running HSRP that connect to the ISP.

Traffic outbound is going via the HSRP active.

But presumably you are not running HSRP on the WAN interfaces of the routers ie. the ones connecting to the ISP.

If that's the case it all comes down to your BGP advertisements as to which inbound path traffic will take.

It sounds like if you are running BGP you must be responsible for advertising your public address space to the ISP. If so you should be able to influence which inbound path traffic takes.

If you aren't advertising your address space then what are you using BGP for exactly as you have HSRP between the firewall and the routers ?

Jon

Jon,

yes i have my firewalls connected to the two routers that are connected to the isp and traffice outbound is going via hsrp active.

You are correct I am not running hsrp on the wan ips on the routers just the LAN and the vip is the ip of the firewalls gw.

i have ibgp setup using loopback incase there is a routing failure and i am using the AS from the isp bgp

r1: 

Network          Next Hop            Metric LocPrf Weight Path
 r i 0.0.0.0          10.18.3.2                0    100      0 6xxx i
 r>                   1.1.1.1                          0 6xxx i
 * i 2.2.2.2/29  10.18.3.2                0    100      0 i
 *>                   0.0.0.0                  0         32768 i
 * i 3.3.3.3/27
                       10.18.3.2                0    100      0 i
 *>                   0.0.0.0                  0         32768 i

r2:

    Network          Next Hop            Metric LocPrf Weight Path
 * i 0.0.0.0          10.18.3.1                0    100      0 6xxx i
 *>                   4.4.4.4                           0 6xxx i
 * i 2.2.2.2/29  10.18.3.1                0    100      0 i
 *>                   0.0.0.0                  0         32768 i
 * i 3.3.3.3/27
                       10.18.3.1                0    100      0 i
 *>                   0.0.0.0                  0         32768 i

based on my sh bgp ,out going traffic is going out  next hop 1.1.1.1 but traffic back seems to be coming from 4.4.4.4. Should I contact my ISP and ask them why my return traffic is coming from the other path? 

It depends on whether you are advertising your own public IP addresses to the ISP.

If you are you yourself can influence which router is used for inbound traffic by modifying your BGP configuration.

If you aren't then you would need the ISP to do something at their end.

It is worth having a chat with them anyway because even if you are advertising your own public IPs there are different ways of influencing the inbound traffic and the ISP may have a preferred method.

So yes, talk to them and if you are advertising your public IPs they may well say which method they prefer and if you then need help with that come back here and we should be able to point you in the right direction.

Jon

OK, so I spoke to my ISP and their asking for traceroute from each router which i can do , but they also asked me to run a trace from a looking glass. I just looked online to find some free ones, but can't seem to find any. And , what are they looking for ,he destination to my vip ip? I'm not sure what their asking, any help would be great thanks Guys..

Go to this page and click on an icon and it should bring up a telnet screen where you can run traceroute -

http://routeserver.org/

if you are doing NAT for all your internal clients using the outside interface IP of the firewall (VIP) then yes traceroute to that.

Basically traceroute to whatever IP your internal clients appear as on the internet.

Jon

Thanks, that's what i thought! i also found this site which is easy to use

http://lg.he.net/ 

OK i spoke to my ISP and help me out here because this part is a little pass of what I usually do, but he said i have to setup either med( hope i'm spelling that right ) or AS path prepend, need to increase the AS path prending ??

I'm sorry if this make no sense but that what they told me. Can someone point me in the right direction? It sounds like some type of cost value??

It does make sense and was what i was referring to earlier about using BGP to influence inbound traffic.

MED can only be used to influence traffic in a neighboring AS but as you only want to do that because you are connecting to the same ISP you can use that or AS path prepending and either will work.

Sounds like your ISP supports both.

So are both your routers advertising the same public IP block to the ISP ie. the public IP block that your VIP is from.

You would find this under your BGP configuration on both routers.

If you are and i suspect you must be then what you do is add extra configuration on the non HSRP active router to that BGP configuration which tells the ISP that router is least preferred for return traffic from the internet.

If your active router fails then it would then be used so you still have failover but just not used when both routers are up.

If possible can you post the BGP part of the configuration or if you can't for security reasons can you just confirm that you are advertising the same public IP block from both routers ?

Jon

Ok , I am advertising the same block on each router, but here is my config( i changed the ips and AS's for security reasons , but they do match  for argument sake. I set this up and it all seems to work expect for what we are trying to accomplish. 

R1 and vip master:  Priority 110

router bgp 12345
 bgp router-id 10.18.3.1
 bgp log-neighbor-changes
 network 1.1.1.1 mask 255.255.255.248
 network 2.2.2.2 mask 255.255.255.224
 neighbor IBGP peer-group
 neighbor IBGP remote-as 12345
 neighbor IBGP update-source Loopback0
 neighbor IBGP next-hop-self
 neighbor 10.18.3.2 peer-group IBGP
 neighbor 3.3.3.3 remote-as 4567
 neighbor 3.3.3.3 password 7 XXXXX ( didn't think you needed this line)

R2:

router bgp 12345
 bgp router-id 10.18.3.2
 bgp log-neighbor-changes
 network 1.1.1.1 mask 255.255.255.248
 network 2.2.2.2 mask 255.255.255.224
 neighbor IBGP peer-group
 neighbor IBGP remote-as 12345
 neighbor IBGP update-source Loopback0
 neighbor IBGP next-hop-self
 neighbor 10.18.3.1 peer-group IBGP
 neighbor 4.4.4.4 remote-as 4567
 neighbor 4.4.4.4 password 7 XXXXXX ( dito)

Okay, couple of quick questions.

The public IPs, are they your own independent addressing or are they part of the ISPs block ?

For MED you have to know what metric is passed on currently to the ISP so you can configure a higher one. This should come from the route in the IP routing tables that match your public IP subnets.

Or we can configure MED on both routers and explicitly set the metric on each but it would better if we could just do the config on one router only.

If that doesn't make much sense don't worry as if you use prepending I just need an answer to the first question.

Jon

I would think the it's part of the isp block because they gave me a 2.2.2.2 /27 block that i can use from one circuit and 1.1.1.1/29 from the other . would you like the sh ip bgp output? I can correlate the ips with the scheme i have been sending you 

Also excuse my stupidity, but how would I have my own independent addressing, i always thought the isp provides you with the block of ips you can use? I mean these are my ips i do control all zones files and dns. they also provided me with /30 for the 4.4.4.4 which is their AS. Hope this makes sense. Thanks Again