Thursday, 19 June 2014

HSRP and Static Route

I don't use HSRP often, but it does fill a very handy gap in certain situations.  I had a strange scenario recently with mulitple HSRP groups and a static route which wouldn't behave.

We have two gateways, both "inside" interfaces have two HSRP groups, so that the client can load-balance a bit more effectively.  Here's a bad picture:


The scenario is actually a bit more complicated than this in reality, but for the rough and ready sake of this post it will do.  Here is R1 and R2 fa 0/1 "inside" configuration:

R1
interface FastEthernet0/1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 standby use-bia
 standby 1 ip 10.1.1.254
 standby 1 preempt
 standby 1 track FastEthernet0/0 20
 standby 2 ip 10.1.1.253
 standby 2 priority 99
 standby 2 preempt
 standby 2 track FastEthernet0/0 20

R2
interface FastEthernet0/1
 ip address 10.1.1.2 255.255.255.0
 ip nat inside
 standby use-bia
 standby 1 ip 10.1.1.254
 standby 1 priority 99
 standby 1 preempt
 standby 1 track FastEthernet0/0 20
 standby 2 ip 10.1.1.253
 standby 2 preempt
 standby 2 track FastEthernet0/0 20

So that's fine isn't, we have R1 as "priority" for group 1 and standby for group 2 - vice versa for R2.  Note the "use-bia" command, this is required when, as Cisco say, "controllers in low-end products can only have a single unicast Media Access Control (MAC) address in their address filter. These platforms only permit a single HSRP group, and they change the interface address to the HSRP virtual MAC address when the group becomes active. Load sharing on platforms with this limitation is not possible with HSRP."  Which is exactly what was happening - despite HRSP being completely aware of changed priorities, without use-bia multiple groups did not function.

Anyway, blah, blah.  To the point, if there is one.  Due to a multiple VPN issue where we'd have both gateways establishing a session back to head-office it was decided not to load-balance the subnets on the other side of the VPN, so all clients must use the active group 1 virtual gateway 10.1.1.254 when sending traffic via VPN.  So how to achieve this?  Well, I thought, first I will put a static route on R2 pointing the VPN subnet at the group 1 address:

ip route 10.10.10.0 255.255.255.0 10.1.1.254

This works, but what happens when R2 becomes active for group 1, this static route will then have a next-hop of itself.  What would happen, would it ignore the static route?  It tried it, the static route persisted, though note I could not add additional static routes due to next-hop error (also please ignore the next-hop fa 0/0 on the default route, I wouldn't normally...):

*Jun 19 22:59:54.587: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 1 state Standby -> Active

R2#show ip route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     1.0.0.0/24 is subnetted, 1 subnets
C       1.1.1.0 is directly connected, FastEthernet0/0
     10.0.0.0/24 is subnetted, 2 subnets
S       10.255.255.0 [1/0] via 10.1.1.254
C       10.1.1.0 is directly connected, FastEthernet0/1

S*   0.0.0.0/0 is directly connected, FastEthernet0/0

R2(config)#ip route 4.4.4.4 255.255.255.255 10.1.1.254

%Invalid next hop address (it's this router)

Crucially of course it breaks the routing, this static route kills the path, I really wanted IOS to be clever and ignore the command.  This was the whole point of the post however its not all that great a point I suppose, just a curio.  

So anyway, what to do?  I wanted to resolve this with static routes, but this "faulty" static needs to be removed when R1 outside interface is down, some fairly basic stuff could solve this.  So an IP SLA job first with a static route on R2 for the R1 WAN address:


ip route 1.1.1.1 255.255.255.255 10.1.1.1

ip sla 1
 icmp-echo 1.1.1.1 source-interface FastEthernet0/1
ip sla schedule 1 life forever start-time now
track 1 ip sla 1

Now a new static route for the VPN subnet tracking this SLA job:

ip route 10.255.255.0 255.255.255.0 10.1.1.254 track 1

And this of course worked fine, the static route was added and removed as required.  Now I need to think of better ways to do this, or is this the ultimate?  (Hahaha)



2 comments:

  1. I inherited a gigantic messy flat network which I have been trying to improve. We have now standardized on 2960s as closet switches and I want to set up a few Purevpn Configured in VLANs. We have an ASA5510 but I don't really want to use it for inter vlan routing.
    It's a small network so these would be our 'core' switches. I need HSRP and some static routes, no dynamic routing needs yet but it's possible in the future. Our internet connection will soon be 100Mbit and I will need to apply different QoS / ACLs to each VLAN.
    Is the 3560X a good choice or not enough info here? Thanks

    ReplyDelete
  2. We some 3560X's doing exactly that - HSRP and IP routing, and they work really well, you might want to research the feature set you need for dynamic routing. These days however we install 3650/3850's.

    ReplyDelete

Found this pointless and feel you must comment? Really, there is no need, we are fully aware of the pointlessness of this article. But if you must...

Google+ Followers