GRE high availability with HSRP routers

Discussion in 'Cisco' started by profile0104, Feb 27, 2006.

  1. profile0104

    profile0104 Guest

    Cisco documentation about IPSec stateful failover shows it IS possible
    to use gre tunnels with a couple of HSRP configured routers as one of
    the endpoints. The tunnels from the remote peers connect to the active
    router. But how do I configure the GRE/IPSec tunnel on the HSRP
    routers? I mean, in this case what's the "interface tunnel" IP address
    and what's the "tunnel source" IP address ?
     
    profile0104, Feb 27, 2006
    #1
    1. Advertising

  2. profile0104

    Guest

    , Feb 27, 2006
    #2
    1. Advertising

  3. profile0104

    profile0104 Guest

    Though very useful, the presentation does not completely cover my case.
    To sum it up:

    1) Main site has 2 routers in HSRP, with one external VIP and one
    internal VIP.
    2) I want to set up GRE over IPSec.
    3) Documentation I found suggests to use the external VIP as the tunnel
    source

    4) But what's the tunnel's interface (the one I will use with dynamic
    routing)? Can (must) I configure two different tunnel interfaces?
     
    profile0104, Feb 28, 2006
    #3
  4. profile0104

    Guest

    profile0104 wrote:
    > Though very useful, the presentation does not completely cover my case.
    > To sum it up:
    >
    > 1) Main site has 2 routers in HSRP, with one external VIP and one
    > internal VIP.


    When you write VIP, do you mean virtual IP? What you mean by
    external/internal VIPs?

    The two routers running HSRP are one end of the IPSec connection.
    What's at the other end?

    > 2) I want to set up GRE over IPSec.
    > 3) Documentation I found suggests to use the external VIP as the tunnel
    > source


    The tunnel source will be the IP address of the physical interface the
    tunnel is bound to at the local end, and the tunnel destination will be
    the IP address of the physical interface that is the destination of the
    tunnel. Note that these tunnel source and destination IP addresses are
    not the HSRP virtual IP addresses.

    > 4) But what's the tunnel's interface (the one I will use with dynamic
    > routing)? Can (must) I configure two different tunnel interfaces?


    You will have to configure one tunnel interface on each of the HSRP
    routers, and two tunnel interfaces (pointing at each of the HSRP
    routers) on the far end router. Then you will run transport mode IPSec
    on the GRE tunnels and also run a routing protocol over the tunnels.
    The routing protocol will allow you load-balance over the two GRE
    tunnels. When one HSRP router goes down, the routing protocol will
    converge and stop using the GRE tunnel pointing at the HSRP router that
    is now down. Note carefully the config of the routing protocol in the
    example with passive interface commands that makes sure using the
    routing protocol that the tunnel of the HSRP router that goes down is
    no longer used by the far-end router.

    Cisco da Gama
    http://ciscostudy.blogspot.com
     
    , Feb 28, 2006
    #4
  5. profile0104

    profile0104 Guest

    The configuration I'm interested in is exactly this (#4):

    http://www.cisco.com/en/US/products/ps6550/products_white_paper09186a0080116d4c.shtml#wp1118995

    and my question are:

    On the headquarters side what is the gre tunnel IP source? What is the
    tunnel interface IP address ?
    Does every peer set up two separate gre tunnels to both HSRP routers as
    you say? And if so, what's the use of having a virtual IP facing the
    internet?

    Every post I found said the tunnel source can not be the virtual
    address, but then I also found a config snippet from cisco stating that
    the tunnel source can actually be the virtual address. I must confess
    I'm a bit confused.
    Thank you for your answers.
     
    profile0104, Feb 28, 2006
    #5
  6. profile0104

    Guest

    Looks like you are trying to use the IPSec Stateful Failover feature.
    Sorry, I am not familiar enough with that feature to answer your
    questions. I did see the document you gave the link to and had the
    same question regarding the usefulness of the virtual IP facing the
    internet.

    Cisco da Gama
    http://ciscostudy.blogspot.com
     
    , Feb 28, 2006
    #6
  7. profile0104

    profile0104 Guest

    Thank you anyway, I'll bother you with one last question then ;-)

    In the configuration you're more familiar with, scenario 4 from the
    networkers presentation, how are the routing updates coming from remote
    peers through GRE tunnels propagated by the HSRP routers?
    I mean: will a router with one interface on the same network segment
    as the two HSRP routers (.67 in that diagram), and which needs to reach
    a network behind the remote peer, find in its routing tables entries
    pointing to the GRE tunnels or to the virtual IP ?
    I want all of my traffic to exit through the active router, but If I
    find myself with two routes with next hops = the two tunnels what
    happens?
     
    profile0104, Mar 1, 2006
    #7
  8. profile0104

    Guest

    profile0104 wrote:
    > Thank you anyway, I'll bother you with one last question then ;-)
    >
    > In the configuration you're more familiar with, scenario 4 from the
    > networkers presentation, how are the routing updates coming from remote
    > peers through GRE tunnels propagated by the HSRP routers?
    > I mean: will a router with one interface on the same network segment
    > as the two HSRP routers (.67 in that diagram), and which needs to reach
    > a network behind the remote peer, find in its routing tables entries
    > pointing to the GRE tunnels or to the virtual IP ?


    I believe it willbe neither. The routing table for a router on the
    same network segment as the pair of HSRP routers will have next-hops
    pointing at the physical IP addresses of the interfaces of the HSRP
    routers in the segment (.65 and .66 in this case).

    > I want all of my traffic to exit through the active router, but If I
    > find myself with two routes with next hops = the two tunnels what
    > happens?


    You should see equal cost paths through the two HSRP routers with .65
    and .66 as the next-hops and taffic to the remote peer will be load
    balanced over the two equal cost paths.

    Cisco da Gama
    http://ciscostudy.blogspot.com
     
    , Mar 1, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Fred Leckie
    Replies:
    0
    Views:
    1,194
    Fred Leckie
    Oct 28, 2003
  2. james
    Replies:
    1
    Views:
    1,054
    shope
    Oct 29, 2003
  3. PJML
    Replies:
    4
    Views:
    7,559
  4. Christian Lox

    7507/rsp2/high availability

    Christian Lox, Dec 3, 2004, in forum: Cisco
    Replies:
    1
    Views:
    534
    Christian Lox
    Dec 5, 2004
  5. rcp
    Replies:
    0
    Views:
    464
Loading...

Share This Page