I have 2 routers one to each ISP. HSRP is working between the 2 Routers with Layer 2 switches downstream. I have this deployed in EVE-NG. I would like to know if this is correct concerning the config. R1 = Active HSRP , R2 = Standby HSRP. I have nat statments so they can get out to the internet. Can I use IP SLA to track connectivity to the internet on R1, and if there is no connectivity to the internet on R1 (Active HSRP) then switch to R2. Your assistance would be immensely appreciated.
Hello Irvin
This is a commonly deployed scenario. Ideally, when you have two ISPs, it is preferable to employ such redundancy using routing protocols. This would require that you have at least one router between your two edge routers and your internal networks. This is typically used for larger enterprises, so for smaller and more “financially-challenged” organizations, this setup is common.
How you set up your active HSRP device and your routing will depend on how you want your traffic to be distributed between your two ISPs. You should always match up the primary ISP with the active HSRP device. If you are distributing your traffic across the two ISPs, then the HSRP device serving the subnets that are destined to reach the Internet via ISP 1 should be the active device for those subnets, and the other should be the active device for subnets using the other ISP.
The reason for this is to avoid traffic having to traverse the link between the two HSRP devices to get to “the other” ISP. This can overwhelm this link, and introduce an extra hop in the traffic flow.
Now having said that, you can and actually should use tracking in order to discover if a device, or an upstream link (to the ISP) has failed. In this case, HSRP should cause all subnets to have the other device as the active one so that the fault can be circumvented. Does that make sense? Some more information on how HSRP and other Fist Hop Redundancy Protocols (FHRPs) behave with routing, take a look at this NetworkLessons note on the topic.
Now, if you are using Nexus devices as the HSRP pairs, the protocol actually works as a load-balancing mechanism, where traffic is shared between multiple HSRP devices. This is done automatically, you don’t configure it nor can you avoid it. So in this case, you would have to ensure that your routing by both devices is configured correctly so that the data stream of one particular host is not split among multiple ISPs.
I hope this has been helpful!
Laz
Hi there
I have this implemented and working the way it should. Just trying to figure out having 2 peers under my crypto map for redundancy. Should I be using the following:
set peer 2.2.2.2 default
set peer 3.3.3.3
Hello Irvin
The question you’re asking in this post is unrelated with the previous HSRP question, correct? You are now trying to configure two peers under your crypto map configuration so that you can have redundancy in the creation of your IPSec VPN, correct?
In this case, yes, you’re on the right track. You can have multiple peers for redundancy in your crypto map configuration. The command set peer allows you to define the IP address of the remote IPsec peer.
Here is how you can do it:
crypto map mymap 10 ipsec-isakmp
set peer 2.2.2.2
set peer 3.3.3.3
In this configuration, the peer 2.2.2.2 will be the primary, and 3.3.3.3 will be the secondary or backup peer. The IPSec VPN tunnel will always be established with the primary peer if it’s available. If the primary peer is unavailable, the secondary peer will be used.
Also note that the default keyword is not necessary in this context. The first set peer command will automatically set that peer as the default.
I hope this has been helpful!
Laz