02-20-2015 08:31 AM - edited 03-05-2019 12:51 AM
I have a concern on the traffic flow on my hsrp setup.. I have two cisco 2900 doing hsrp and seems to be working but and all outbound traffic is going to the active vip ,but all incoming traffic is coming back through the standby router.?Both these routers have 100mbps separate service to my ISP. From my mrtg app it shows my total bandwidth THOUGHT MY FIREWALL is over 100bmps at times. Why is traffic comming back on the standby router and if i shutdown my standby will i exceed the bandwidth service i have with my ISP? I thought HSRP is strictly for Hardware HA reasons?
Thank You
02-20-2015 08:58 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
HSRP doesn't influence egress traffic.
Unable to say why your return traffic is behaving as you note without more information.
02-20-2015 09:59 AM
Hello,
Thank you for the reply... I found this on Cisco's web site ( below) on faq, so i know it happens but. Your asking for more information, like what ? I can provide whatever you need?
My setup is pretty simple i have two isp drops to same pop each line is 100mbps their sharing a vip to the gw of my firewall . I have ibgp and ebgp setup so the routing HA is working along with hardware. When all out bound traffic leaves the firewall it goes to the vip like it should , but when the traffic comes back( according to the bandwidth logs) it returns to my standby router. I also want to add I have no pbr setup. Hope this clears thing up a bit. Thank You again.
A. No, normally this is transparent to all hosts and/or servers on the LAN and can be desirable if a router experiences high traffic. In order to change this, configure a more desirable cost for the link you want the distant router/routers to use.
02-21-2015 05:25 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Again, unless you're also using HSRP for your from the internet traffic, LAN facing HSRP doesn't have anything to do with return traffic. Normally, return traffic picks its path based on routing.
However, if you are using HSRP on you return traffic side, such as perhaps facing your FW which has a static route toward your routers' HSRP, what you can do (on later routers, like your 2900) is use mHSRP to configure two IPs, one as primary on each router, the other router providing it as backup, and then have two static routes, on FW, one to each mHSRP IP.
02-21-2015 02:36 PM
So you have a firewall connected to two outside routers running HSRP that connect to the ISP.
Traffic outbound is going via the HSRP active.
But presumably you are not running HSRP on the WAN interfaces of the routers ie. the ones connecting to the ISP.
If that's the case it all comes down to your BGP advertisements as to which inbound path traffic will take.
It sounds like if you are running BGP you must be responsible for advertising your public address space to the ISP. If so you should be able to influence which inbound path traffic takes.
If you aren't advertising your address space then what are you using BGP for exactly as you have HSRP between the firewall and the routers ?
Jon
02-21-2015 02:36 PM
Jon,
yes i have my firewalls connected to the two routers that are connected to the isp and traffice outbound is going via hsrp active.
You are correct I am not running hsrp on the wan ips on the routers just the LAN and the vip is the ip of the firewalls gw.
i have ibgp setup using loopback incase there is a routing failure and i am using the AS from the isp bgp
r1:
Network Next Hop Metric LocPrf Weight Path
r i 0.0.0.0 10.18.3.2 0 100 0 6xxx i
r> 1.1.1.1 0 6xxx i
* i 2.2.2.2/29 10.18.3.2 0 100 0 i
*> 0.0.0.0 0 32768 i
* i 3.3.3.3/27
10.18.3.2 0 100 0 i
*> 0.0.0.0 0 32768 i
r2:
Network Next Hop Metric LocPrf Weight Path
* i 0.0.0.0 10.18.3.1 0 100 0 6xxx i
*> 4.4.4.4 0 6xxx i
* i 2.2.2.2/29 10.18.3.1 0 100 0 i
*> 0.0.0.0 0 32768 i
* i 3.3.3.3/27
10.18.3.1 0 100 0 i
*> 0.0.0.0 0 32768 i
based on my sh bgp ,out going traffic is going out next hop 1.1.1.1 but traffic back seems to be coming from 4.4.4.4. Should I contact my ISP and ask them why my return traffic is coming from the other path?
02-21-2015 03:32 PM
It depends on whether you are advertising your own public IP addresses to the ISP.
If you are you yourself can influence which router is used for inbound traffic by modifying your BGP configuration.
If you aren't then you would need the ISP to do something at their end.
It is worth having a chat with them anyway because even if you are advertising your own public IPs there are different ways of influencing the inbound traffic and the ISP may have a preferred method.
So yes, talk to them and if you are advertising your public IPs they may well say which method they prefer and if you then need help with that come back here and we should be able to point you in the right direction.
Jon
02-23-2015 02:07 PM
OK, so I spoke to my ISP and their asking for traceroute from each router which i can do , but they also asked me to run a trace from a looking glass. I just looked online to find some free ones, but can't seem to find any. And , what are they looking for ,he destination to my vip ip? I'm not sure what their asking, any help would be great thanks Guys..
02-23-2015 02:11 PM
Go to this page and click on an icon and it should bring up a telnet screen where you can run traceroute -
if you are doing NAT for all your internal clients using the outside interface IP of the firewall (VIP) then yes traceroute to that.
Basically traceroute to whatever IP your internal clients appear as on the internet.
Jon
02-23-2015 02:24 PM
Thanks, that's what i thought! i also found this site which is easy to use
http://lg.he.net/
02-24-2015 09:40 AM
OK i spoke to my ISP and help me out here because this part is a little pass of what I usually do, but he said i have to setup either med( hope i'm spelling that right ) or AS path prepend, need to increase the AS path prending ??
I'm sorry if this make no sense but that what they told me. Can someone point me in the right direction? It sounds like some type of cost value??
02-24-2015 10:39 AM
It does make sense and was what i was referring to earlier about using BGP to influence inbound traffic.
MED can only be used to influence traffic in a neighboring AS but as you only want to do that because you are connecting to the same ISP you can use that or AS path prepending and either will work.
Sounds like your ISP supports both.
So are both your routers advertising the same public IP block to the ISP ie. the public IP block that your VIP is from.
You would find this under your BGP configuration on both routers.
If you are and i suspect you must be then what you do is add extra configuration on the non HSRP active router to that BGP configuration which tells the ISP that router is least preferred for return traffic from the internet.
If your active router fails then it would then be used so you still have failover but just not used when both routers are up.
If possible can you post the BGP part of the configuration or if you can't for security reasons can you just confirm that you are advertising the same public IP block from both routers ?
Jon
02-24-2015 11:15 AM
Ok , I am advertising the same block on each router, but here is my config( i changed the ips and AS's for security reasons , but they do match for argument sake. I set this up and it all seems to work expect for what we are trying to accomplish.
R1 and vip master: Priority 110
router bgp 12345
bgp router-id 10.18.3.1
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.248
network 2.2.2.2 mask 255.255.255.224
neighbor IBGP peer-group
neighbor IBGP remote-as 12345
neighbor IBGP update-source Loopback0
neighbor IBGP next-hop-self
neighbor 10.18.3.2 peer-group IBGP
neighbor 3.3.3.3 remote-as 4567
neighbor 3.3.3.3 password 7 XXXXX ( didn't think you needed this line)
R2:
router bgp 12345
bgp router-id 10.18.3.2
bgp log-neighbor-changes
network 1.1.1.1 mask 255.255.255.248
network 2.2.2.2 mask 255.255.255.224
neighbor IBGP peer-group
neighbor IBGP remote-as 12345
neighbor IBGP update-source Loopback0
neighbor IBGP next-hop-self
neighbor 10.18.3.1 peer-group IBGP
neighbor 4.4.4.4 remote-as 4567
neighbor 4.4.4.4 password 7 XXXXXX ( dito)
02-24-2015 11:35 AM
Okay, couple of quick questions.
The public IPs, are they your own independent addressing or are they part of the ISPs block ?
For MED you have to know what metric is passed on currently to the ISP so you can configure a higher one. This should come from the route in the IP routing tables that match your public IP subnets.
Or we can configure MED on both routers and explicitly set the metric on each but it would better if we could just do the config on one router only.
If that doesn't make much sense don't worry as if you use prepending I just need an answer to the first question.
Jon
02-24-2015 12:11 PM
I would think the it's part of the isp block because they gave me a 2.2.2.2 /27 block that i can use from one circuit and 1.1.1.1/29 from the other . would you like the sh ip bgp output? I can correlate the ips with the scheme i have been sending you
Also excuse my stupidity, but how would I have my own independent addressing, i always thought the isp provides you with the block of ips you can use? I mean these are my ips i do control all zones files and dns. they also provided me with /30 for the 4.4.4.4 which is their AS. Hope this makes sense. Thanks Again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide