HSRP on 2 Routers for Internet Users.

qasimkhans · ‎10-07-2013

Hi,

I have some hosted servers in my network and internet users access them. last week my Router 3845 crashed and we had to faced 1 and hafl hour down time. i was reading about HSRP to make 2 router failover. my question is can we use HSRP for Internet users (Wan Link), and setup HSRP on 2 router with 1 ISP link on both router. if yes please give me clear example.

Thanks,

JohnTylerPearce · ‎10-07-2013

(R1)(R2)

|

(Switch)

|

( L A N ) (10.10.10.0/24)

So let's say you have VLAN 10 which is your data vlan.

R1

----

int x/x

ip address 10.0.0.2 255.255.255.0

standby 1 ip 10.0.0.1

standby 1 priority 101

standby 1 preempt

R2

----

int x/x

ip address 10.0.0.3 255.255.255.0

standby 1 ip 10.0.0.1

R1 will be the primary router, and if it goes down, R2 will take over. When R1 comes back online, It will have a higher priority of 101, and preempt configure, so it will preempt R2 from being Primary and move it to Secondary, and R1 will take over as primary.

Now, this is a very basic configuration. You can modify the times, and include a 'track' statement to track if an upstream interface went down. Because it should only change the primary by default, if the LAN interface for this particular standby goes own.

Please correct me if I'm wrong, if anyone else chimes in.

qasimkhans · ‎10-07-2013

ok Thanks, what about Wan Link. can i use 1 ISP link on both router (attach cable in each router coming from same ISP).

JohnTylerPearce · ‎10-07-2013

Sorry, I actually ment to do that HSRP configuration for the WAN side. You would basically do the same thing except, different IPs for the WAN side. Obviously, always be sure to test before implementing anything in a production network.

qasimkhans · ‎10-07-2013

Please correct me if i am wrong. how i connect 2 cables from same ISP.. will there be IP confilt ?

(R1)(R2)

|

( ISP )

R1

----

int x/x

ip address 10.0.0.2 255.255.255.0

standby 1 ip 50.200.X.X (IP from ISP)

standby 1 priority 101

standby 1 preempt

R2

----

int x/x

ip address 10.0.0.3 255.255.255.0

standby 1 ip 50.200.X.X (IP from ISP)

JohnTylerPearce · ‎10-07-2013

For starters, what is the WAN IP and network mask of your internet connection? You will need at least 3 IP addresses for this to work.

R1 and R2 will need to connect to a switch, where both ports going to R1 and R2 will be on the same VLAN. Then a port from the same VLAN as R1 and R2 will need to be connected to your ISP.

So let's say you have 20.20.20.0/29

(R1)(R2)

SW1

|

ISP

R1

----

int x/x

ip address 20.20.20.2 255.255.255.248

standby 1 ip 20.20.20.1

standby 1 priority 101

standby 1 preempt

R2

----

int x/x

ip address 20.20.20.3 255.255.25.248

standby 1 ip 20.20.20.1

The default route should be 20.20.20.1 which goes to your ISP. If you plan to implement a scenario like this, always test before implementation. You can use GNS3 to test out the configuration.

I got a turnup to do tonight, but if I have time, I'll try to post again if you reply.

qasimkhans · ‎10-25-2013

Hi John,

my curreny config on both routers is 4 Vlans, IP SLA (ISP Fail Over) Site to Site and Site to Client VPN. please let me know what would be the configuration of HSRP on both routers with my current config.

JohnTylerPearce · ‎10-25-2013

Quasim,

This link below, should give you all the information you need.

http://www.ciscopress.com/articles/article.asp?p=766858&seqNum=4

qasimkhans · ‎11-04-2013

I need to configure HSRP on WAN links, i am hosting servers (Web server, Citrix, App severs, etc). i have IPs from ISPs. I am also using IP SLA for Internet Failover on router. now i want to setup Routers failover using HSRP. my both routers config as below.

track 10 ip sla 1 reachability

delay down 1 up 1

!

track 20 ip sla 2 reachability

delay down 1 up 1

!

interface GigabitEthernet0/0

no ip address

ip virtual-reassembly in

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet0/0.7

description Voice-Vlan

encapsulation dot1Q 7

ip address 192.168.7.3 255.255.255.0

ip helper-address 192.168.10.15

ip helper-address 192.168.10.16

!

interface GigabitEthernet0/0.8

description IT-Vlan

encapsulation dot1Q 8

ip address 192.168.8.3 255.255.255.0

ip helper-address 192.168.10.15

ip helper-address 192.168.10.16

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/0.9

description Regency-Vlan

encapsulation dot1Q 9

ip address 192.168.9.3 255.255.255.0

ip helper-address 192.168.10.15

ip helper-address 192.168.10.16

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/0.10

description Servers-&-Switches-Vlan

encapsulation dot1Q 10

ip address 192.168.10.7 255.255.255.0

ip helper-address 192.168.10.16

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

ip policy route-map PBR

!

interface FastEthernet0/0/1

ip address 50.x.x.14 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

crypto map vpn

!

interface FastEthernet0/1/0

ip address 162.x.x.34 255.255.255.224

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source route-map ISP1 interface FastEthernet0/0/1 overload

ip nat inside source route-map ISP2 interface FastEthernet0/1/0 overload

ip nat inside source static tcp 192.168.10.53 80 50.x.x.52 80 route-map ISP1 extendable

ip nat inside source static tcp 192.168.10.53 80 162.x.x.35 80 route-map ISP2 extendable

ip route 0.0.0.0 0.0.0.0 50.x.x.13 track 10

ip route 0.0.0.0 0.0.0.0 162.x.x.62 200

!

ip access-list extended acl_internet

deny ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended acl_natisp1

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended acl_natisp2

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended acl_ncsvpn

permit ip 192.168.0.0 0.0.255.255 192.168.4.0 0.0.0.255

ip access-list extended acl_vpn

permit ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255

!

ip sla 1

icmp-echo 50.x.x.13

threshold 500

timeout 500

frequency 1

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 162.x.x.62

threshold 500

timeout 500

frequency 1

ip sla schedule 2 life forever start-time now

!

route-map PBR permit 10

match ip address acl_natisp1

set ip next-hop verify-availability 50.x.x.13 1 track 10

!

route-map PBR permit 20

match ip address acl_natisp2

set ip next-hop verify-availability 162.x.x.62 2 track 20

!

route-map ISP2 permit 20

match ip address acl_internet

match interface FastEthernet0/1/0

!

route-map ISP1 permit 10

match ip address acl_internet

match interface FastEthernet0/0/1