12-07-2009 06:56 PM - edited 03-06-2019 08:51 AM
Hi,
I have an issue with an upcoming project.
Currently we have two routers where both the LAN and WAN interfaces (see attached diagram) are configured using HSRP for failover (see below for config details) with both interfaces being in their own subnet ranges.
In the near future the WAN interfaces on the two routers will be connecting to two separate ISP links that have different IP ranges. There is a choice of using static routing or BGP with the ISP however, for simplicity, it would be prefered to use static routing. Also BGP takes 30 seconds to reconverge and it would be preferable if the failover could be quicker.
The idea is to have the links in an active/passive configuration.
Not too sure how the new WAN links should be configured.
If you can point me to a document that would be great.
Thanks in advance.
Bryce
Router
interface GigabitEthernet0/0
description ISP Link
ip address 20.xxx.xxx.21 255.255.255.248
duplex full
speed 100
no cdp enable
standby 1 ip 20.xxx.xxx.20
standby 1 timers 5 15
standby 1 preempt
!
interface GigabitEthernet0/1
description link to firewall via switch
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.201
description link to firewall via switch
encapsulation dot1Q 201 native
ip address 192.168.0.5 255.255.255.0
no cdp enable
standby 1 ip 192.168.0.4
standby 1 timers 5 15
standby 1 preempt
!
interface GigabitEthernet0/1.403
description management Vlan
encapsulation dot1Q 403
ip address 10.yyy.yyy.7 255.255.255.0
no cdp enable
!
Router 2
interface GigabitEthernet0/0
description ISP Link
ip address 20.xxx.xxx.22 255.255.255.248
duplex full
speed 100
no cdp enable
standby 1 ip 20.xxx.xxx.20
standby 1 timers 5 15
standby 1 priority 110
standby 1 preempt
standby 1 track GigabitEthernet0/1.201 50
!
interface GigabitEthernet0/1
description link to firewall via switch
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.201
description link to firewall via switch
encapsulation dot1Q 201 native
ip address 192.168.0.6 255.255.255.0
no cdp enable
standby 1 ip 192.168.0.4
standby 1 timers 5 15
standby 1 priority 110
standby 1 preempt
standby 1 track GigabitEthernet0/0 50
!
interface GigabitEthernet0/1.403
description management Vlan
encapsulation dot1Q 403
ip address 10.yyy.yyy.8 255.255.255.0
no cdp enable
!
12-07-2009 09:04 PM
Hi,
With your future setup what i can see is you will be running HSRP in your local LAN with Active/Passive config,If that so then at single point of time only one ISP will be forwarding traffic.
As stated you want to use ISP in Active/Passive mode,Then what i will suggest try config. HSRP track on your router if link goes down pirority will be decrement and traffic will be shofted to second router to second ISP link.
Hope this Helps !!
Regads
Ganesh.H
12-09-2009 12:59 AM
Hi,
If I understand your question correctly, your setup will be something like this
ISP A ISP B
| I
| I
| I
| I
Router 2 Router 1
| |
| |
| |
-------------------------------------
LAN
Routers can continue to work as active/passive for LAN, as it is. So, say your Router 2 is active for LAN, and you want ISP A to be primary for all the traffic. If ISP A fails, you want Router 1 to be active, and start sending the packets towards ISP B. In this case, all you need to do is configure your LAN for HSRP as below, and do not need to configure HSRP on WAN. Just have WAN conifgured with IP address for reachability with ISP.
Router 2
interface GigabitEthernet0/1.201
description link to firewall via switch
encapsulation dot1Q 201 native
ip address 192.168.0.6 255.255.255.0
no cdp enable
standby 1 ip 192.168.0.4
standby 1 timers 5 15
standby 1 priority 110
standby 1 preempt
standby 1 track GigabitEthernet0/1.201 15
standby 1 track 123 decrement 15
ip sla 1
icmp-echo
timeout 3000
frequency 3
ip sla schedule 1 life forever start-time now
track 123 rtr 1 reachability
Router 1
interface GigabitEthernet0/1.201
description link to firewall via switch
encapsulation dot1Q 201 native
ip address 192.168.0.5 255.255.255.0
no cdp enable
standby 1 ip 192.168.0.4
standby 1 timers 5 15
standby 1 preempt
HTH
Saurabh
12-09-2009 09:11 AM
saurabh_knl wrote:
Hi,
If I understand your question correctly, your setup will be something like this
ISP A ISP B
| I
| I
| I
| I
Router 2 Router 1
| |
| |
| |
-------------------------------------
LAN
Routers can continue to work as active/passive for LAN, as it is. So, say your Router 2 is active for LAN, and you want ISP A to be primary for all the traffic. If ISP A fails, you want Router 1 to be active, and start sending the packets towards ISP B. In this case, all you need to do is configure your LAN for HSRP as below, and do not need to configure HSRP on WAN. Just have WAN conifgured with IP address for reachability with ISP.
Router 2
interface GigabitEthernet0/1.201
description link to firewall via switch
encapsulation dot1Q 201 native
ip address 192.168.0.6 255.255.255.0
no cdp enable
standby 1 ip 192.168.0.4
standby 1 timers 5 15
standby 1 priority 110
standby 1 preempt
standby 1 track GigabitEthernet0/1.201 15
standby 1 track 123 decrement 15ip sla 1
icmp-echosource-interface GigabitEthernet0/0
timeout 3000
frequency 3
ip sla schedule 1 life forever start-time nowtrack 123 rtr 1 reachability
Router 1
interface GigabitEthernet0/1.201
description link to firewall via switch
encapsulation dot1Q 201 native
ip address 192.168.0.5 255.255.255.0
no cdp enable
standby 1 ip 192.168.0.4
standby 1 timers 5 15
standby 1 preemptHTH
Saurabh
Hi Saurabh,
I believe you might have intended to put the G0/0 interface which connects to the ISP in the track command. Could you please confirm? Thx
Coming back to the original posters scenario it is not mentioned however you might want to consider the return path for your traffic as well. Unless you get one of the ISP's to be the secondary and they manipulate your route for you when they advertise it to the rest of the internet you will end up using both links for return traffic. If you do not want the ISP to manipulate your route and would like to manipulate it yourself than I would strongly suggest looking into running BGP with the ISP. Thx
12-09-2009 01:44 PM
Saurabh,
Thanks for the help.
To clarify a couple of things.
The diagram is correct however both links connect to the same IPS. A single /24 public IP address range will be advertised by the ISP.
As per the last posting I am concerned with the return traffic and would like to ensure that it is only coming in one link. We would also like to be able to manipulate the traffic as well when doing maintenance, etc. My one concern with BGP is the delay in switching links in the case of a failure. With HSRP the links could be swapped with no dropout. With BGP there is a long delay.
Any suggestions as to how I can get around this?
I will be talking to the ISP later today for their ideas and will update the thread accordingly.
Thanks once again.
Bryce.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide