Heres the reason;

I have two ISP links on both ASR and doing BGP peering with both ISPs on respective ASRs..also I have advertised 2x/24 public pool with both ISPs for failover..1x/24 with 5xAS PREPEND.

Let say

ASR-1 on ISP-1,,

ASR-2 on ISP-2

Now, my Firewall behind ASRs is connected with two outside interfaces... and im have distributed my PAT list with both ISP.. firewall gateway is both HSRP IP and it depends on routing decision. if ISP-1 on ASR-1 BGP goes down HSRP decrement it values -50 hence ASR-2 converge into Active from Standby and my PAT started working with ISP-2 that was earlier working with ISP-1.

Thats is the reason of doing 2xHSRP in 1 interface... and if u saw the my config of HSRP - in ASR-1 has 1 Grp in Standy and 1 Active and the same in ASR-2.

Hope you got the idea... now back to my Qs ... HSRP on single interface with 2 Grp ... ??

Hi -

Though your sample configuration will work, I'm not sure I understand the purpose of such a design.  It's excessively complicated and confusing to someone who might work on this after you.

1. If you require 2 networks, then why aren't you using sub-interfaces and VLANs?
2. If you're peering in BGP with the ISP, then why NAT on a device other than the firewall itself?
3. If you have a common /24 that you are advertising via BGP, then why not use that network directly between the ASR's and the firewall?

Considering items 2 and 3 together, you can still use HSRP, but as a single group with the primary ASR being active except in a failure.

PSC

Hi,

I have attached WAN Segment Network diagram for your more understanding -and below my response -

1. If you require 2 networks, then why aren't you using sub-interfaces and VLANs?

    If i create Sub-Interfaces then I need to encapsulate with Dot1Q and also to Switch and by doing this entire design will need to be changed also - and ASA Firewall devices behind ASR is not on Dot1q.

• If you're peering in BGP with the ISP, then why NAT on a device other than the firewall itself?

    Im not doing NAT on Router - Firewall is doing NAT - kindly refer enclosed diagram

• If you have a common /24 that you are advertising via BGP, then why not use that network directly between the ASR's and the firewall?

    Yes, Im direclty assigning Public IPs on Firewall, but I have 2 x /24 Pool which I have distributed with both ISPs - let say 1 x /24 preferred from ISP-1 and Second /24 is preferred from ISP -2.

I couldn't find any proper way to achieve automated failover between both ISPs - however there is one way that can be done but that required Static default router on ASR-2 towards ASR-1 with higher AD than BGP -that will be through Single HSRP,,, if ISP-2 goes down then default route towards ISP-1 will be activated,,, but I dont want to play with default route here -

Please take look into diagram and suggest any

Hi

To answer Your original question, about two hsrp groups.

Yes, this is absolutly an implementation that is supported. With 2 groups, load sharing between the groups can be achieved. I can't see any problem with using hsrp that way.

You can have secondary adresses also on the hsrp "standby ip 10.10.20.1 secondary", but then one router have to take all traffic, while the other is just as backup.

/Mikael

Thank you !

As said in that case "standby ip 10.10.20.1 secondary", only one router have to take all traffic that deviate my my objective.

Regards!

Hi -

There are a lot of different ways to do an edge design. If this one is functional for you, then go for it. Normally I would recommend a single HSRP group, but in your case I can see the functionality of 2.

I see 2 long term supportability problems with your set up.

1) Secondary IP addresses on an interface is just not a good idea.  Overlaying 2 IP spaces on the same VLAN subjects both to traffic floods (broadcast storm, DDOS attack) when only 1 should be impacted.  Secondaries also impact the ability to use dynamic routing protocols. That's why I asked about VLAN separation.

2) I generally have issues with putting multiple outside interfaces on the firewall.  This is typically OK for failover, but not for a dual-active scenario.  You can easily end up with asymmetric traffic that may be dropped.

The first can be solved by simple VLAN separation.  Either install additional cables from the ASRs to the edge switch, or use sub-interfaces and dot1q tagging.

The second is a more complex problem.  You don't necessarily want all traffic to go to one ASR, because the ASR has licensed bandwidth limits (unless the combined bandwidth of both your internet connections is below your licensed bandwidth).  You could policy route on the ASA, but you may need to do code upgrades to accomplish it and it adds complexity to your FW configuration.

Your system is working now, so take my advice with a grain of salt.  Carefully consider changes before committing to them.

PSC

Hi,

I do agreed with first Point -

1) You Point is valid "2 IP spaces on the same VLAN subjects both to traffic floods (broadcast storm, DDOS attack)" - i have revised Network diagram (attached) according to your point - let me know this is what you are talking

2) Couldn't understand why there will an asymmetric traffic issue ? Lets Consider below config -

G0/1 - > OUT1

G0/2 - > OUT2

object network obj-public-10.10.10.124
 host 10.10.10.124
object network obj-static-public-192.168.1.124
 host 192.168.1.124

object network obj-public-10.10.20.73
 host 10.10.20.73
object network obj-static-public-172.24.1.73
 host 172.24.1.73

nat (dmz,OUT1) source static obj-static-public-192.168.1.124 obj-public-10.10.10.124
nat (inside,Out2) source static obj-static-public-172.24.1.73 obj-public-10.10.20.73

access-list OUT extended permit udp host 9.9.9.9 host 172.24.1.73
access-list DMZ extended permit ip host 192.168.1.124 host 172.24.1.73

route OUT2 9.9.9.9 255.255.255.255 10.10.20.1 1
route OUT1 0.0.0.0 0.0.0.0 10.10.10.1 1

In the above configuration - 10.10.10.x is on ASR-1 and 10.10.20.x is on ASR-2 - OUT2 do not have default route this Link is for some purpose and only for specific destinations - bit OUT1 is DMZ and has default route - 

Regards,

Hi -

My general expectation is that you would have quad-0 out both outside interfaces, which was the basis for my concern.  In this case, you just have explicit routes to your secondary IP space.  Your configuration is making more sense to me at this point.  There are other ways of accomplishing the same results, but I think you're fine.

PSC