Hi Thanks for the response Julio.

So I have the following setup. Notice on the secondary side currently there is no link from our router to the ISP router. This we are going to plug in this week when we decided on the failover. So the external IP on our secondary router has not yet been configured either

On the primary core switch, we have a default route to the firewall which has a route our router, which then has a router to the ISP router to send traffic out. 

I was thinking to keep it simple, i'm new to this so this is what I was recommended, to setup IP SLA on the primary core switch that tracks a default route, when connectivity fails ip sla drops the primary route and uses the second route that points to core switch 2 over the eigrp link.

I know how to setup the IP SLA and can work the failover but I was thinking as we have the same ISP subnet across both routers, will this work. Can these routers see each other on the outside.

If HSRP is to be used, how can I configure it on my routers and get the internal traffic to failover. Ive setup HSRP but on a really simple setup. Do the ISP have to configure HSRP on the external side on their routers so I have the .17 next hop gateway on both my primary and secondary routers.

Thanks

The IP SLA should work fine.

The rest though is doubtful.

For HSRP to work you need the WAN interfaces of your routers and the ISP router's interfaces connecting to your WAN routers to be in the same IP subnet.  There is no sign of a L2 link between your WAN routers. You do have one between the core switches but it is multiple L3 hops away so it can't be used for HSRP.

Have you agreed to use HSRP  with the ISP.

Even if you have, lets say your firewall in the primary site fails or the LAN interface of your WAN router so you send traffic out of the secondary site due to IP SLA. But the primary router is still up so the ISP would send the return traffic back to it because it is still the HSRP active gateway.

You could as Julio says, run tracking on your WAN router or even IP SLA back into your network to check the firewall availability but it still comes down to what you have agreed with the ISP.

What is ore common is to have different IP addressing for the secondary internet connection and not run HSRP.

The ISP routes your existing subnet to the primary router. So when your clients go to the internet they use one of the existing IPs and so return traffic is routed back to the primary router.

If anything fails and traffic is routed via the secondary site clients then use a different IP which the ISP is routing back to your secondary router.

That should work for clients accessing the internet.

If however you host internal servers that are accessed from the internet it gets more tricky because which public IP do you use.

So what has the ISP said about all this and do you host any internal servers that internet users access ?

Jon

Hi John

Thanks for the response. So yes we do host a 4 internal servers that are statically mapped to the external IP address on the ISP LAN range under IPs .19 - .22

There will be a link soon between our secondary router to the ISP router once we have decided on the failover but there is no direct link between both our routers.

Initially we thought the addressing on the second site will be different and had thought about using the IP SLA failover, but today the ISP got back to use and advised that the range is the same on both primary and secondary hence why we are trying to rethink.

This secondary circuit was setup a while back and the person who arranged it has since left not leaving back much details.

The ISP advised HSRP should be run and the .17 is the gateway and should be a floating IP. Now .17 is on their router which we don't have access to so should the failover of that IP be done by the ISP so it their primary connection fails the .17 acts as the gateway for the second site.

Thanks

Okay, so using a different IP range at the secondary site would be an issue for the servers you are hosting.

However I cannot see how this is going to work. The WAN interfaces of your routers and the ISP routers need to be in the same vlan/IP subnet for HSRP to work which would mean you need the sites to be connected via a L2 connection for the routers but you make no mention of this

How is the ISP running HSRP between both their routers ?

Julio may have some ideas but I am struggling to see how this works.

There may also be an issue with your NAT for the servers you are hosting but I don't think it's worth going into all that until I understand how this is setup.

Can you see where I am coming from ?

Jon

Hi Jon

The WAN interfaces on our routers and the ISP routers are in the same subnet of 100.100.100.16/28 but we don't have a L2 link between our routers, not sure if the HSRP hello's can run via our internal network over the vlan trunk between the core switches but yes there are routed links in between as well. 

I can understand this is somewhat confusing. The ISP is not currently running HSRP but they said that we should. Don't think the ISP know exactly how this should all work together. 

The internal hosted server are not a major concern but whats more important is we still have connectivity outside when the primary fails.

Okay there are two issues here.

As discussed HSRP. You cannot use that link between you cores. You may be able to do some kind of tunnelling but you really don't want to go there.

As I understand it the ISP is also doing HSRP, is that correct ?

From the sounds of it I'm not sure they are fully aware of the situation,. Perhaps they think both routers are at the same site. I think you need to have a chat with them as to how they think this is going to work.

The internal servers. Are you saying that if the primary went down you wouldn't want to use the secondary to get to them ?

If so then not a concern.

If you do however then there are considerations you need to know whether you use the same IP addressing at both sites or different IP addressing.

I don't want to cloud the main issue ie. HSRP but if you want it explaining before you talk with the ISP then just let me know.

Jon

The ISP is not currently doing HSRP on their end, they have just assigned the .17 address to their first router and .28 on the second router both of which are in the same subnet as shown in the diagram in the earlier post. I don't think they know or have have looked into this deeply enough and I have mentioned that the routers are in different sites.

And with the internal servers, not a major concern and they are hardly used much so if there if we cant get to them we have manual procedures in place and the fact they are not used heavily.

So if I went ahead with the IP SLA solution for example, because nearly all access layer switches are coming into the primary core and dont have a direct link to the secondary core except via the primary core (The secondary by the way is a backup site and only a few users are there). Then the primary core will send the traffic out via the secondary core once it loses the primary link. If the traffic during failover is hitting the secondary router will the return traffic not take the same path back. That what I was thinking. Would that not work even for just internet access

So you are using NAT to translate all the internal clients to the WAN IP of the secondary router which is from the same subnet as used on the primary router.

If so then it "should" work although I can't say for certain because of the doubt as to what the ISP is doing.

In a previous post I said if you used HSRP and you had a failure in the primary site but the WAN interface of your router stayed up then traffic would go out via the secondary site but the ISP would send the return traffic back to the primary WAN router because it is HSRP active.

Actually if you are using the public IPs assigned to the WAN IPs of both routers to NAT internal clients then this won't happen because the ISP should be able to send it back to the correct router based on the IP address, assuming all routers are in the same vlan/IP subnet.

So apologies for any confusion caused there

Give it a try is all I can say but it would be good to know how the ISP thinks this is going to work.

Jon 

Yes at both gateways the routers will be natting all traffic to my outside IP, so the secondary is only to be used if the primary fails. 

Il give that a go and see what works. Thanks for all your input Jon, very helpful as usual.

No problem, glad to help.

Would be interested to hear how it goes and what configuration you end up with.

Jon

Thanks again and I will feedback once I get this working

Hi Jon

I've been in contact with the ISP today and on their routers they said they should have configured HSRP and use the .17 address as the virtual IP. So they have requested us to put a L2 link between the routers.

They haven't got back to me since as I spoke to them in the morning and the afternoon they sent me this info by email.

So for this L2 link, I have my 2 core switches connected via a L2 link, and the uplinks to the routers are L3 so that won't work. Are we able to run a cable from each of the core switches direct to the routers so bypassing the L3 uplinks to create that L2 link between the routers? In theory im guessing it should work.

Thanks

I suspect this won't work.

Where are the ISP routers, are they are in each site ?

If they are I suspect what they are asking for is for you to put a switch in between your routers and theirs so you can have all the interfaces on the same subnet and run HSRP on both routers.

This is a bit hard to explain but if you ran cables from the WAN interfaces of your routers back through the core switches you have created a closed loop ie. your WAN routers wouldn't then be able to send packets anywhere on their WAN interfaces other than to each other if that makes sense.

So I think the ISP is expecting a switch and you connect your WAN interfaces to that and the ISP internal interfaces to it.

Jon