Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > GRE high availability with HSRP routers

Reply
Thread Tools

GRE high availability with HSRP routers

 
 
profile0104
Guest
Posts: n/a
 
      02-27-2006
Cisco documentation about IPSec stateful failover shows it IS possible
to use gre tunnels with a couple of HSRP configured routers as one of
the endpoints. The tunnels from the remote peers connect to the active
router. But how do I configure the GRE/IPSec tunnel on the HSRP
routers? I mean, in this case what's the "interface tunnel" IP address
and what's the "tunnel source" IP address ?

 
Reply With Quote
 
 
 
 
ciscodagama@gmail.com
Guest
Posts: n/a
 
      02-27-2006
There is an old networkers presentation from 2000 at

http://www.cisco.com/networkers/nw00/pres/2402.pdf

that seems to address your problem exactly. You might find your answer
there.

Cisco da Gama
http://ciscostudy.blogspot.com

 
Reply With Quote
 
 
 
 
profile0104
Guest
Posts: n/a
 
      02-28-2006
Though very useful, the presentation does not completely cover my case.
To sum it up:

1) Main site has 2 routers in HSRP, with one external VIP and one
internal VIP.
2) I want to set up GRE over IPSec.
3) Documentation I found suggests to use the external VIP as the tunnel
source

4) But what's the tunnel's interface (the one I will use with dynamic
routing)? Can (must) I configure two different tunnel interfaces?

 
Reply With Quote
 
ciscodagama@gmail.com
Guest
Posts: n/a
 
      02-28-2006
profile0104 wrote:
> Though very useful, the presentation does not completely cover my case.
> To sum it up:
>
> 1) Main site has 2 routers in HSRP, with one external VIP and one
> internal VIP.


When you write VIP, do you mean virtual IP? What you mean by
external/internal VIPs?

The two routers running HSRP are one end of the IPSec connection.
What's at the other end?

> 2) I want to set up GRE over IPSec.
> 3) Documentation I found suggests to use the external VIP as the tunnel
> source


The tunnel source will be the IP address of the physical interface the
tunnel is bound to at the local end, and the tunnel destination will be
the IP address of the physical interface that is the destination of the
tunnel. Note that these tunnel source and destination IP addresses are
not the HSRP virtual IP addresses.

> 4) But what's the tunnel's interface (the one I will use with dynamic
> routing)? Can (must) I configure two different tunnel interfaces?


You will have to configure one tunnel interface on each of the HSRP
routers, and two tunnel interfaces (pointing at each of the HSRP
routers) on the far end router. Then you will run transport mode IPSec
on the GRE tunnels and also run a routing protocol over the tunnels.
The routing protocol will allow you load-balance over the two GRE
tunnels. When one HSRP router goes down, the routing protocol will
converge and stop using the GRE tunnel pointing at the HSRP router that
is now down. Note carefully the config of the routing protocol in the
example with passive interface commands that makes sure using the
routing protocol that the tunnel of the HSRP router that goes down is
no longer used by the far-end router.

Cisco da Gama
http://ciscostudy.blogspot.com

 
Reply With Quote
 
profile0104
Guest
Posts: n/a
 
      02-28-2006
The configuration I'm interested in is exactly this (#4):

http://www.cisco.com/en/US/products/...html#wp1118995

and my question are:

On the headquarters side what is the gre tunnel IP source? What is the
tunnel interface IP address ?
Does every peer set up two separate gre tunnels to both HSRP routers as
you say? And if so, what's the use of having a virtual IP facing the
internet?

Every post I found said the tunnel source can not be the virtual
address, but then I also found a config snippet from cisco stating that
the tunnel source can actually be the virtual address. I must confess
I'm a bit confused.
Thank you for your answers.

 
Reply With Quote
 
ciscodagama@gmail.com
Guest
Posts: n/a
 
      02-28-2006
Looks like you are trying to use the IPSec Stateful Failover feature.
Sorry, I am not familiar enough with that feature to answer your
questions. I did see the document you gave the link to and had the
same question regarding the usefulness of the virtual IP facing the
internet.

Cisco da Gama
http://ciscostudy.blogspot.com

 
Reply With Quote
 
profile0104
Guest
Posts: n/a
 
      03-01-2006
Thank you anyway, I'll bother you with one last question then

In the configuration you're more familiar with, scenario 4 from the
networkers presentation, how are the routing updates coming from remote
peers through GRE tunnels propagated by the HSRP routers?
I mean: will a router with one interface on the same network segment
as the two HSRP routers (.67 in that diagram), and which needs to reach
a network behind the remote peer, find in its routing tables entries
pointing to the GRE tunnels or to the virtual IP ?
I want all of my traffic to exit through the active router, but If I
find myself with two routes with next hops = the two tunnels what
happens?

 
Reply With Quote
 
ciscodagama@gmail.com
Guest
Posts: n/a
 
      03-01-2006
profile0104 wrote:
> Thank you anyway, I'll bother you with one last question then
>
> In the configuration you're more familiar with, scenario 4 from the
> networkers presentation, how are the routing updates coming from remote
> peers through GRE tunnels propagated by the HSRP routers?
> I mean: will a router with one interface on the same network segment
> as the two HSRP routers (.67 in that diagram), and which needs to reach
> a network behind the remote peer, find in its routing tables entries
> pointing to the GRE tunnels or to the virtual IP ?


I believe it willbe neither. The routing table for a router on the
same network segment as the pair of HSRP routers will have next-hops
pointing at the physical IP addresses of the interfaces of the HSRP
routers in the segment (.65 and .66 in this case).

> I want all of my traffic to exit through the active router, but If I
> find myself with two routes with next hops = the two tunnels what
> happens?


You should see equal cost paths through the two HSRP routers with .65
and .66 as the next-hops and taffic to the remote peer will be load
balanced over the two equal cost paths.

Cisco da Gama
http://ciscostudy.blogspot.com

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Establishing GRE connection between 2 routers foxb@abv.bg Cisco 3 11-14-2007 01:56 PM
Checkpoint FW1 High Availability mode and Cisco switches. PJML Cisco 4 01-23-2004 11:52 PM
VPN Implimentation IPSec/GRE Tunnel using 1720 and 831 Routers Ali Cisco 2 11-05-2003 05:51 PM
Can HSRP on Cisco Routers successfully interface with VRRP on Nokia Firewalls? james Cisco 1 10-29-2003 10:01 PM
Terminating GRE tunnel on HSRP address Fred Leckie Cisco 0 10-28-2003 08:46 AM



Advertisments