Re: HSRP with multiple secondary IP addresses

dhananjay95929 · ‎08-26-2013

I have two routers running in active/standby mode for VPN connectivity to customers. They are configured for HSRP using their two primary IP addresses on each router's interface. The primary HSRP is working as expected without issues.

How do I configure the routers for HSRP with multiple secondary IP addresses and HSRP for each secondary IP address? I have tried using the secondary keyword in the “standby [group-number] ip [ip-address] secondary” statement, however, the problem is all IP addresses (primary and secondarys) are in the same /24 subnet. I am faced with the following problem then:

•1. How would the HSRP process for a secondary standby IP address know what physical secondary standby IP address to switch to in case of a failover?
•2. If I use a different standby group number for each secondary standby IP address that I create how can I link the secondary IP addresses on the physical interfaces to that specifc standby group number for segregation?

Here are the router configs for the desired HSRP and stateful failover sections,it does not work, the “show standby brief” command shows the 2, 3 and 4 secondary HSRP group numbers in the INIT states and unknown under every other column.

Router 1:

interface FastEthernet0/0

ip address 192.168.1.131 255.255.255.0 secondary
ip address 192.168.1.134 255.255.255.0 secondary

ip address 192.168.1.137 255.255.255.0 secondary
ip address 192.168.1.151 255.255.255.0

standby delay minimum 30 reload 60

standby 1 ip 192.168.1.150

standby 1 timers 1 5

standby 1 name vpnout

standby 1 track FastEthernet3/0

standby 2 ip 192.168.1.130 secondary

standby 2 timers 1 5

standby 2 track FastEthernet3/0

standby 3 ip 192.168.1.133 secondary

standby 3 timers 1 5

standby 3 track FastEthernet3/0

standby 4 ip 192.168.1.136 secondary

standby 4 timers 1 5

standby 4 track FastEthernet3/0

crypto map vpnmap redundancy vpnout stateful

crypto map vpnmap redundancy replay-interval inbound 10 outbound 1000

Router 2:

interface FastEthernet0/0

ip address 192.168.1.132 255.255.255.0 secondary
ip address 192.168.1.135 255.255.255.0 secondary

ip address 192.168.1.138 255.255.255.0 secondary
ip address 192.168.1.152 255.255.255.0

standby delay minimum 30 reload 60

standby 1 ip 192.168.1.150

standby 1 timers 1 5

standby 1 name vpnout

standby 1 track FastEthernet3/0

standby 2 ip 192.168.1.130 secondary

standby 2 timers 1 5

standby 2 track FastEthernet3/0

standby 3 ip 192.168.1.133 secondary

standby 3 timers 1 5

standby 3 track FastEthernet3/0

standby 4 ip 192.168.1.136 secondary

standby 4 timers 1 5

standby 4 track FastEthernet3/0

crypto map vpnmap redundancy vpnout stateful

crypto map vpnmap redundancy replay-interval inbound 10 outbound 1000

Thanks in advance for any insight you can provide.

dhananjay95929 · ‎08-26-2013

The following is shown under "show standby" and "show standby brief" commands for Group 2:

FastEthernet0/0 - Group 2

State is Init

Virtual IP address is unknown

Secondary virtual IP address 192.168.1.130

Active virtual MAC address is unknown

Local virtual MAC address is 0000.0c07.ac02 (v1 default)

Hello time 1 sec, hold time 5 sec

Preemption disabled

Active router is unknown

Standby router is unknown

Priority 100 (default 100)

Track interface FastEthernet3/0 state Up decrement 10

Group name is "hsrp-Gi0/0-9" (default)

Interface Grp Pri P State Active Standby Virtual IP

Fa0/0 2 100 Init unknown unknown unknown

InayathUlla Sharieff · ‎08-26-2013

Dhananjay,

Its working fine for me.

show standby:

|

Interface Grp Pri P State Active Standby Virtual IP

Fa0/0 1 100 Active local 192.168.1.152 192.168.1.150

Fa0/0 2 100 Init unknown unknown unknown

Fa0/0 3 100 Init unknown unknown unknown

Fa0/0 4 100 Init unknown unknown unknown

R1#sh standby

FastEthernet0/0 - Group 1

State is Active

2 state changes, last state change 00:01:20

Virtual IP address is 192.168.1.150

Active virtual MAC address is 0000.0c07.ac01

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 1 sec, hold time 5 sec

Next hello sent in 0.616 secs

Preemption disabled

Active router is local

Standby router is 192.168.1.152, priority 100 (expires in 4.188 sec)

Priority 100 (default 100)

Group name is "vpnout" (cfgd)

FastEthernet0/0 - Group 2

State is Init

Virtual IP address is unknown

Secondary virtual IP address 192.168.1.130

Active virtual MAC address is unknown

Local virtual MAC address is 0000.0c07.ac02 (v1 default)

Hello time 1 sec, hold time 5 sec

Preemption disabled

Active router is unknown

Standby router is unknown

Priority 100 (default 100)

Group name is "hsrp-Fa0/0-2" (default)

FastEthernet0/0 - Group 3

State is Init

Virtual IP address is unknown

Secondary virtual IP address 192.168.1.133

Active virtual MAC address is unknown

Local virtual MAC address is 0000.0c07.ac03 (v1 default)

Hello time 1 sec, hold time 5 sec

Preemption disabled

Active router is unknown

Standby router is unknown

Priority 100 (default 100)

Group name is "hsrp-Fa0/0-3" (default)

FastEthernet0/0 - Group 4

State is Init

Virtual IP address is unknown

Secondary virtual IP address 192.168.1.136

Active virtual MAC address is unknown

Local virtual MAC address is 0000.0c07.ac04 (v1 default)

Hello time 1 sec, hold time 5 sec

Preemption disabled

Active router is unknown

Standby router is unknown

Priority 100 (default 100)

Group name is "hsrp-Fa0/0-4" (default)

R1#

HTH

Regards

Inayath

dhananjay95929 · ‎08-27-2013

Do you know why the output shows as "unknown" under the Active, Standby and Virtual IP columns and State as "init" ?

Thanks!

dhananjay95929 · ‎09-03-2013

I [think] that I figured this out finally. If any one has any thoughts or objections please respond.

There are two ways this can be achieved.

1. Create a secondary standby IP address in the same standby group as the primary standby IP address using the "standby [Primary Grp Num] ip [A.B.C.D] secondary" command.

OR

2. Create a new standby group and specify a standby IP address without the secondary keyword.

There is no need for two additional secondary IP addresses on each router's interface as required for the primary. You can just specify the "standby ip [A.B.C.D] secondary" command where A.B.C.D = secondary standby IP address and let the HSRP process use the interface's primary IP addresses for determining the active and standby routers.

You may configure like this:

For Case 1:

Router 1:

interface FastEthernet0/0

ip address 192.168.1.131 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.134 255.255.255.0 secondary [can exclude this statement]

ip address 192.168.1.137 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.151 255.255.255.0

standby delay minimum 30 reload 60

standby 1 ip 192.168.1.150

standby 1 timers 1 5

standby 1 name vpnout

standby 1 track FastEthernet3/0

standby 1 ip 192.168.1.130 secondary

standby 1 timers 1 5

standby 1 track FastEthernet3/0

standby 1 ip 192.168.1.133 secondary

standby 1 timers 1 5

standby 1 track FastEthernet3/0

standby 1 ip 192.168.1.136 secondary

standby 1 timers 1 5

standby 1 track FastEthernet3/0

crypto map vpnmap redundancy vpnout stateful

Router 2:

interface FastEthernet0/0

ip address 192.168.1.132 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.135 255.255.255.0 secondary [can exclude this statement]

ip address 192.168.1.138 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.152 255.255.255.0

standby delay minimum 30 reload 60

standby 1 ip 192.168.1.150

standby 1 timers 1 5

standby 1 name vpnout

standby 1 track FastEthernet3/0

standby 1 ip 192.168.1.130 secondary

standby 1 timers 1 5

standby 1 track FastEthernet3/0

standby 1 ip 192.168.1.133 secondary

standby 1 timers 1 5

standby 1 track FastEthernet3/0

standby 1 ip 192.168.1.136 secondary

standby 1 timers 1 5

standby 1 track FastEthernet3/0

crypto map vpnmap redundancy vpnout stateful

For Case 2:

Router 1:

interface FastEthernet0/0

ip address 192.168.1.131 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.134 255.255.255.0 secondary [can exclude this statement]

ip address 192.168.1.137 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.151 255.255.255.0

standby delay minimum 30 reload 60

standby 1 ip 192.168.1.150

standby 1 timers 1 5

standby 1 name vpnout

standby 1 track FastEthernet3/0

standby 2 ip 192.168.1.130

standby 2 timers 1 5

standby 2 track FastEthernet3/0

standby 3 ip 192.168.1.133

standby 3 timers 1 5

standby 3 track FastEthernet3/0

standby 4 ip 192.168.1.136

standby 4 timers 1 5

standby 4 track FastEthernet3/0

crypto map vpnmap redundancy vpnout stateful

Router 2:

interface FastEthernet0/0

ip address 192.168.1.132 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.135 255.255.255.0 secondary [can exclude this statement]

ip address 192.168.1.138 255.255.255.0 secondary [can exclude this statement]
ip address 192.168.1.152 255.255.255.0

standby delay minimum 30 reload 60

standby 1 ip 192.168.1.150

standby 1 timers 1 5

standby 1 name vpnout

standby 1 track FastEthernet3/0

standby 2 ip 192.168.1.130

standby 2 timers 1 5

standby 2 track FastEthernet3/0

standby 3 ip 192.168.1.133

standby 3 timers 1 5

standby 3 track FastEthernet3/0

standby 4 ip 192.168.1.136

standby 4 timers 1 5

standby 4 track FastEthernet3/0

crypto map vpnmap redundancy vpnout stateful