What I wanted to achieve here was a complete fail-over of a Cisco Router pair. I know Cisco ASA’s can do a better smoother job but I detest ASA’s as they don’t follow the normal IOS commands 🙂

In this configuration I am using two Cisco 2921 Routers with Security Bundle and I also have two Internet connections both with the Same IP range being used on both.

Basics:

Router #1
Internal 10.20.0.250
HSRP: 10.20.0.254
External 77.12.11.4
HSRP: 77.12.11.6

Default Route – 77.12.11.3

Router #2
Internal 10.20.0.252
HSRP: 10.20.0.254
External 77.12.11.5
HSRP: 77.12.11.6

Default Route – 77.12.11.3

HSRP-1

Also to Note is the ISP is also running HSRP and using 77.12.11.1 as Primary, 77.12.11.2 as Secondary and 77.12.11.3 as HSRP address which is our Default Gateway…

Configure the Interfaces and in my case I have configured:

GigabitEthernet 0/0 = WAN

GigabitEthernet 0/1 = Internal

You need to create two HSRP Groups using the following:

Primary-Router
interface GigabitEthernet 0/0

description ** 100Mb Internet**
bandwidth 102400
ip address 77.12.11.4 255.255.255.192
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
standby mac-refresh 8
standby delay minimum 10 reload 60
standby 0 ip 77.12.11.6
standby 0 timers 1 3
standby 0 preempt delay reload 7 sync 7
standby 0 name HSRP-External
standby 0 track 1 decrement 20

interface GigabitEthernet0/1
description **LAN 1Gbps / HSRP**
ip address 10.20.0.250 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby mac-refresh 8
standby delay reload 50
standby 1 ip 10.20.0.254
standby 1 preempt
standby 1 name HSRP-Internal
standby 1 track 1 decrement 20
duplex auto
speed auto
end

Secondary-Router
interface GigabitEthernet 0/0

description ** 100Mb Internet**
bandwidth 102400
ip address 77.12.11.5 255.255.255.192
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
standby mac-refresh 8
standby delay minimum 10 reload 60
standby 0 ip 77.12.11.6
standby 0 timers 1 3
standby 0 priority 90
standby 0 preempt delay reload 7 sync 7
standby 0 name HSRP-External
standby 0 track 1 decrement 20

interface GigabitEthernet0/1
description **LAN 1Gbps / HSRP**
ip address 10.20.0.252 255.255.255.0
ip nat inside
ip virtual-reassembly in
standby mac-refresh 8
standby delay reload 50
standby 1 ip 10.20.0.254
standby 1 priority 90
standby 1 preempt
standby 1 name HSRP-Internal
standby 1 track 1 decrement 20
duplex auto
speed auto
end

Use Show Standy to Confirm as you will see Active on the Primary Router on Both Interfaces!

1) Default Priority is 100 (higher is better)
So you need to set the Secondary Router with a slightly lower Value

2) preempt needs to be set only if you want the active router to take back the role once a failover as occured.

3) I have configured an SLA track on the primary Router which tracks the default gateway 77.12.11.3. I have done this because I want to failover if the router can no longer reach the Default gateway as this is more likely than a interface problem. As you can see from the below I am tracking the default gateway across both internal and external interfaces on Primary Router (best way of doing this – if it fails then it drops the priority by 20 making the Secondary Active)

SLA Configuration:

ip sla 1
icmp-echo 77.12.11.3 source-ip 10.20.0.250
frequency 5
ip sla schedule 1 life forever start-time now

track 1 ip sla 1 reachability

NOTE: The router HAS to reboot when its state changes as its the only way the router can rejoin as a secondary. Bit poor on Cisco’s part and I am confident this will be changed in new releases (I hope). In my opinion this is the only problem that makes the ASA’s a better choice.

Once this is done you can get on to configure the stateful VPN IPSEC failover as well as Stateful Static NAT and Dynamic NAT.

Configuring Stateful VPN fail-over is very simple and all you need to do is add the Crypto Map under the External interface as your normally would except add “redundancy HSRP-External stateful”. Note “HSRP-External” is the name I used in my previous post.

Interface GigabitEthernet 0/0
crypto map IPSEC-VPN redundancy HSRP-External stateful

Do this on both Primary and Secondary Routers and the following is a list of show commands to verify all of the above is working correctly:

show redundancy states
show standby brief
show crypto isakmp sa
show crypto isakmp sa standby
show crypto ipsec sa
show crypto ipsec sa standby

Examples:

Cisco2921-Primary#sh redundancy states
my state = 13 -ACTIVE
peer state = 8 -STANDBY HOT
Mode = Duplex
Unit ID = 0

Maintenance Mode = Disabled
Manual Swact = enabled
Communications = Up

client count = 14
client_notification_TMR = 30000 milliseconds
RF debug mask = 0x0

Cisco2921-Primary#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Gi0/0 0 100 P Active local 77.11.12.5 77.11.12.6
Gi0/1 1 100 P Active local 10.20.0.252 10.20.0.254

Static / Dynamic Stateful NAT I will put in part 2 of the guide just to break it up a little bit.

Leave a Reply

Your email address will not be published. Required fields are marked *