Two border routers. No load balancing

incognito · ‎05-13-2019

Hello everyone

How to realize this scheme on the attached image?

We have to arrange an ISP1 check and, if it is alive, walk through it, and if it is “dead”, then switch to the ISP2 backup provider.

Can I configure HSRP/VRRP in this situation? Or only IPSLA can help to realize it??

----------------------------------------------------------------

SECOND QUESTION (attached images IPSec profile.png and crypto IPSec profile.png):

In this case how many crypto ipsec profile i have to create? In many cases i found everyone use only one (the same profile, like DMVPN) profile (look at the crypto IPSec profile.png). But when I use two different profiles for every tunnel (like crypto ipsec profile DMVPN1 and crypto ipsec profile DMVPN2) my scheme works. What is correct: using the same crypto ipsec profile or different?

Dennis Mink · ‎05-13-2019

Hsrp can track interfaces and initiate failover based on that.is that what u are looking for?

Please remember to rate useful posts, by clicking on the stars below.

incognito · ‎05-14-2019

thanks for the reply
If i will use only IPSLA w/o HSRP in this case is it correct or not?

In addition to this please answer the second question of this discussion if you dont mind

luis_cordova · ‎05-13-2019

Hi @incognito ,

Yes, HSRP allows routing backup in case an ISP fails.

Now, you must ensure that the interfaces of the two routers participating in the HSRP are in same network.

Regards

balaji.bandi · ‎05-14-2019

Adding to other posts if you any NTU from provider in the network, the port never do down, so to track far end IP reachability you required IP SLA with Tracking, to Failover.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

incognito · ‎05-14-2019

thanks for the reply
In addition to this please answer the second question of this discussion if you dont mind

paul driver · ‎05-14-2019

Hello
Object tracking with IPSLA would be a possible solution however regarding your posted topology how are those LAN rtrs communicating at present between each other and either isp - Are you using a dynamic routing process?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

incognito · ‎05-14-2019

Hello!
thanks for the response. Yes they are communicating via EIGRP.
Should I use both HSRP and IPSLA for correct work?
Is there way to use only HSRP w/o IPSLA or vice versa?

Giuseppe Larosa · ‎05-16-2019

Hello Incognito,

you have two border routers connecting to two ISP, R1 to ISP1 and R2 to ISP2 that do not use BGP but only static routing.

Inside your network you are using EIGRP.

At some point some device has to inject a default route in EIGRP to make it available in all the EIGRP domain.

On border routers R1 and R2 you can :

a) configure default static route pointing to appropriate IP next hop and you should use IP SLA to track reachability of the next-hop so that if IP SLA fails the default static route is removed.

b) Youn can generate a default static route injected into EIGRP directly on the border routers by simply redistributing the default static route. (EIGRP supports this, OSPF does not)

ip prefix-list only-default permit 0.0.0.0/0

route-map DEF-STATIC-INTO-EIGRP

match address prefix only-default

! on R1 we will use a lower seed metric, EIGRP seed metric has 5 parameters

router eigrp <AS-number>

redistribute static route-map DEF-STATIC-INTO-EIGRP

! seed metric

default-metric 5000 10 1 1 1500

!

! on R2 we do the same but with a worse metric second parameter is delay is enough to use a higher value

! in seed metric

ip prefix-list only-default permit 0.0.0.0/0

route-map DEF-STATIC-INTO-EIGRP

match address prefix only-default

! on R2 we will use a higher seed metric, EIGRP seed metric has 5 parameters

router eigrp <AS-number>

redistribute static route-map DEF-STATIC-INTO-EIGRP

! seed metric

default-metric 5000 1000 1 1 1500

!

see

https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/

default-metric bandwidth delay reliability loading mtu

This should solve the problem, in normal conditions the default route injected by R1 is preferred for its lower seed metric and used by devices in the internal Vlan. In addition the default route is propagated in all the EIGRP domain.

If the IP SLA tracking IP next-hop to ISP1 on R1fails the default static route is removed from IP route table on R1, and EIGRP will stop redistributing it on EIGRP with lower metric (it will not redistribute at all).

At this point all devices will use the default route injected into EIGRP domain by R2 because it is the only one available.

IF the IP SLA starts to reach the IP next-hop on R1 again, the default static route is installed again on the IP route table, EIGRP process on R1 will start to advertise an EIGRP default route with lower seed metric.

##################################

About your questions about DMVPN and IPSEC profiles: I have used a single IPSEC profile in DMVPN with no problems.

If you have multiple DMVPNs I would go for multiple IPSEC profiles one for each DMVPN just for clarity in configuration.

I have not enough elements to understand why in your case you need to use two different IPSec profiles, it may depend on some details in your configuration.

Hope to help

Giuseppe

incognito · ‎05-16-2019

Thank you so much!
I understand you. I would use this solution: a) configure default static route pointing to appropriate IP next hop and you should use IP SLA to track reachability of the next-hop so that if IP SLA fails the default static route is removed.
Because I little bit don't understand the second (b) solution, I should read more about it.

I updated the network today, then R1(10.0.1.10), R2 (10.0.1.11) and switch (10.0.1.12) are in the same network 10.0.1.8/29 (vlan500). On switch I configured SVI (vlan500). In HQ I have these 2 routers and switch (works as core) and many spokes. In this case may I configure HSRP (because two routers and switch are in the same netwrok 10.0.1.8/29) and IPSLA?

excerpt from your text: "I have not enough elements to understand why in your case you need to use two different IPSec profiles, it may depend on some details in your configuration". - There's no need to use different IPSec profiles. I'm just asking what should i do: to use the same or different IPSec profiles.
Tunnel0 for HUB1, tunnel1 for HUB2, tunnel0 and tunnel1 for each spoke. I run EIGRP, dual DMVPN, in PHASE 2. My question is: should I use different crypto IPSec profiles Or just one?
----------------
There’s no any difference. Profiles are the same.
But on spoke site I protect my tunnel with 'shared' keyword
which is sharing the same ipsec profile. Is this correct?

Config (i mean any parameters and attributes used in the profile) on all Spokes are the same:

crypto ipsec transform-set dmvpn esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile dmvpn
set security-association lifetime seconds 120
set transform-set dmvpn

interface tunnel0
..................

..................
tunnel protection ipsec profile DMVPN shared
__________________________________________________
Interface tunnel1
...................
tunnel protection ipsec profile DMVPN shared

Giuseppe Larosa · ‎05-16-2019

Hello Incognito,

thanks for your kind remarks.

>> I updated the network today, then R1(10.0.1.10), R2 (10.0.1.11) and switch (10.0.1.12) are in the same network 10.0.1.8/29 (vlan500). On switch I configured SVI (vlan500). In HQ I have these 2 routers and switch (works as core) and many spokes. In this case may I configure HSRP (because two routers and switch are in the same netwrok 10.0.1.8/29) and IPSLA?

You could use HSRP with IP SLA tracking but this solves the problem of routing to the internet only in Vlan 500 on the core switch.

You have many spoke routers how you are providing them a default route in EIGRP?

Are you using a command like

ip eigrp XX summary-address 0.0.0.0 0.0.0.0 on the core switch interfaces towards the spoke routers?

The intent of my proposed configuration is actually that to generate a default route in EIGRP directly on border routers that can be used everywhere in the EIGRP domain.

The proposed configuration maked both routers to generate a default route if their default static route is alive.

In normal conditions R1 generated default route is preferred because it has a lower composite metric = a lower EIGRP metric.

Feel free to ask for clarifications if you need.

######

About the DMVPN question I think you are fine because the shared keyword informs the spoke routers that you are using the same profile on multiple tunnel interfaces.

However, there are some restrictions IPSEC profiles can be shared only by tunnels that have the same tunnel source IP address.

see the following configuration guide for more details

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-3s/sec-conn-dmvpn-xe-3s-book/sec-conn-dmvpn-share-ipsec-w-tun-protect.html

I guess you are using the shared profile correcty.

Hope to help

Giuseppe

SamanBayat4424 · ‎05-14-2019

Hello

First of all, if you have BGP connection between ISP1, R1 and ISP2, R2 the best solution is to tune the BGP as path sequence, why are you looking for an FHRP protocol? The mentioned ways by you are the best solution for distributions switches, where you want to connect access switches to more than one distribution. But if you have to choose, I will suggest you use IP SLAs. Here you can find whatever you ever need for configuring IP SLAs ICMP echo operations:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-15-mt-book/sla_icmp_echo.html

best Regards

Saman Bayat

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future.

incognito · ‎05-15-2019

Thank you for the reply
I dont have BGP, we only have EIGRP.
from this "he mentioned ways by you are the best solution for distributions switches, where you want to connect access switches to more than one distribution." as I understand I can not use HSRP between core and distribution devices (in my case the switch is core and two routers as distribution )

SamanBayat4424 · ‎05-15-2019

So you didn't have any choice except IPSLA. Because of those Routers, they are in different subnets, you can't run FHRP protocol while they are working in different subnets.

And also please notice that, EIGRP have a tool for path selection. It's called Offset-List. I'm totally sure the EIGRP Offset-List will solve your Problem.

The offset-list lets you increase the metricwhen you send a routing update to your neighbor or when you receive it.

You can use this for RIP or EIGRP, it is not supported for OSPF. So you can choose which Router forward the Traffic.

. Please give us a clear Map with configuration of your devices.

incognito · ‎05-15-2019

Thanks!
R1, R2 and switch are in the same network (vlan500). On switch I configured SVI (vlan500).
In HQ I have these 2 routers and switch (works as core) and many spokes.