Cisco Switching/Routing :: ISP HSRP With ASA 5510 Failover And Switch Selection?
Feb 27, 2013
I have two Cisco ASA 5510s that I would like to configure in an active passive failover setup. The ASAs are at the top of our rack and handle all our routing. We have been only using one ASA unit with one line from our ISP connected to the WAN/outside interface of the ASA. We recently had our ISP setup two lines into our rack using HSRP. I do not know what equipment they are running upstream of our ASAs but it is HSRP so it should be a set of Cisco routers/switches. Originally I thought I could just connect the 2nd new line to our 2nd ASAs WAN/outside port and setup failover using a crossover cable between the ASAs. After doing this config I had problems accessing some of our IPs in the subnet that the HSRP is part of. If I disconnected the 2nd ASAs WAN/outside line everything was fine. After talking with my ISP they explained that I need to connect both of my lines into our L2 network and then from there into the ASAs. Currently below the ASAs I have two Catalyst 3560-X switches. They are connected together with an ISL trunk and ASA-1s inside network connects to switch-1 and ASA-2 to switch-2. One idea was to connect each of the HSRP lines to each of my current switches and then from the switches to the ASA's WAN/outside interface. Finally back down from the ASA's to the switches via the inside interface that we have currently. This kind of seems messy and a poor choice. The other idea is to get two switches that would sit above the ASAs and connect the HSRP lines to them with the switches connected together. They would then connect to the ASAs. I like this idea better but I don't like having to buy two more full switches for this. These switches would only use a couple of ports and only handle just the HSRP ISP lines to the ASAs. Putting in two more 3560-Xs would be a big waste of money and space for this. So I was thinking of using two Cisco SG200-08, 8 port gigabit basic managed switches for this.
View 5 Replies
ADVERTISEMENT
Sep 8, 2012
Below is a basic image of the HSRP and backup link setup for our LAN.
The virtual IP 192.168.178.50 resides on the primary router and fails over to the backup router. Internal default gateways for the switches are set to 178.50.
Switch1 is Layer3 and has two static default routes configured as:
ip route 0.0.0.0 0.0.0.0 192.168.179.50 track 1 - - - (interface line-protocol track)
ip route 0.0.0.0 0.0.0.0 192.168.178.50 2
And the primary router has a static route out 179.50 which tracks the interface (route goes down if interface is down), and a backup static route.
ip route (internal LAN) Gi0/1 track 1 - - - (interface line-protocol track)
ip route (internal LAN) Gi0/2 2
Everything works fine. If the primary router fails, Switch1 tears down the route across Vlan179, HSRP fails over the IP to the backup router and routing continues as normal. If the link across Vlan179 fails, the routers tear down the primary routes and again, things continue as normal.
The problem comes when the primary WAN link fails but the router remains up. This means the default route is still across Vlan179. Normally, Id set an IP SLA on Switch1 to track the WAN link BUT Switch1 only has the BASE IOS and the company wont pay for the Advanced IP IOS so I dont have IP SLA as an option.
How can I get the static default route to failover in the event that only the primary WAN link goes down?
View 12 Replies
View Related
Nov 12, 2012
We have two Cisco 3560E layer 3 switches at the core of our network. The switches are configured as an HSRP pair and the clients on our network point to the HSRP address as their default gateway. So if CORE-A dies, then CORE-B will pick up the address and the default route for the clients will continue to be available.We also need to specify a few static routes on the core switch to allow us to get to specific networks. Is there a way to do this so that the routes failover in the same way that the default gateway does?
View 2 Replies
View Related
Dec 9, 2012
Can i have HSRP or GLBP between two different switch like 3550 and 3560?
View 3 Replies
View Related
Oct 31, 2012
I have two cisco 4506-E series switches ..
We are planning to go for HSRP redundancy for 32 VLANs. Means In a Cisco 4506-E switch , we will configure 32 vlans and among them 16 vlans will be primary and 16VLANs will be standby ans it is viceversa in another core-switch
My querie is How many standby groups can we create in Cisco 4506-E switch,
Is there any limitation..
If there is any limitation , can we go ahead with VRRP,GLBP? Are there any limitation in VRRP/GLBP? Is there any design related issue can we face if we use same group number to all VLANs?
Product details :
Model : Cisco 4506-E
Sup Model : WS-X45-SUP6L-E
IOS : S45EIPBK9-12254SG
View 2 Replies
View Related
Nov 14, 2012
What the different between using hsrp on vlan interface and on physical port (routed port) on Cisco 3750 Switch? Wha the benefits?
View 3 Replies
View Related
Nov 16, 2011
I have router connected to 2 3550 switches directly. 3550A and B switches are running HSRP. OSPF is running between Router and 2 switches.
From Switch B i can ping the Router Wan interface but not the internet sites. from Switch A i can ping any sites?
Switch B
3550SMIB# sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1
[Code]......
View 7 Replies
View Related
Dec 27, 2012
We have our WAN setup as explained in the attachment herewith. As of now, We have a IP 1 configured as HSRP IP in the LAN switch end at Site A and Site B. As per the HSRP priority, Site A's WAN router will preempt to be the Active WAN router. 1*1Gig link at both DCs connect to the respectve WAN router.
But with this setup, we experience a WAN outage whenever there is a link disconect at Site A - as HSRP fails over from Active to Standby(Site B) and again when the link at Site gets restored. To avoid this :
Is it possible to have the HSRP configured over a port channel at Site A and B (or atleast at Site A) ? In that case, will there be a need for the ISP to change their configuration except to configure a port channel ? The ISP has Cisco 7000 series router which connects to 3750 stack at DC lan.
View 2 Replies
View Related
Jul 2, 2012
Currently I have a network that looks like this:
ASA5510 - - - Internet - - - ASA5510
| |
EIGRP EIGRP
| |
2821 -----------MPLS----------1841
BGP
The MPLS connection is currently down, I'm trying to run a failover Site-to-Site VPN over the internet. All of the examples I've read have both connections involved in the failover coming out of one device. Since I'm not working that way, what is going to be the best way to failover? Do I need to set up some sort of IP SLA in the config? Or can I somehow weight routes in EIGRP in a way that the connection will failover from Internet to MPLS when the MPLS goes down and vice versa when the MPLS connection comes back up?
View 2 Replies
View Related
Oct 17, 2012
We have Nexus 5K switches at the aggregation layer and VPC domain has been configured on them. VPC domain includes switches at the access layer as an identity.But when primary switch reboots failover didn,t happened. We are attaching architecture diagram for the setup along with show tech for Nexus 5K both switches.
View 2 Replies
View Related
Nov 1, 2011
I used to have this situation where I need to replace faulty ASA5510 (this FW did not failover to standby FW) with the new one.
But the problem is the new ASA5510 came with Base License only not with Security Plus License which is needed to allow this brand new device to be configure failover.
how do I pull out Security Plus License from old FW and switch it to new FW (Base License) and activate to Security Plus License.
View 5 Replies
View Related
Mar 26, 2012
I have 2 C2811 ISRs runnning c2800nm-advsecurityk9-mz.124-15.T17.bin and having on board: 1 Virtual Private Network (VPN) Module.is it possible to enable IPSec stateful failover (or switchover, SSO) between these boxes? I get different infos from Cisco sources. url...All commands were accepted, but failover doesn't seem to be statefull (I loose connection for few seconds and VPNs are reestabilishing)
View 5 Replies
View Related
Feb 12, 2012
Turned up a new colo service last week using some PIX 515E firewalls and two Cat 2950 series switches. I have attached a diagram of the layout which I have used elsewhere with good success. Basically I have two switches connected together via port channel (2 ports). The colo facility gives me two HSRP enabled links, of which I plug one into switch A and the other in switch B. The PIxes are a failover pair with the primary plugged into the same switch A as the primary HSRP link.The backup PIX is plugged into the backup switch where the backup HSRP link is. When I unplug the primary HSRP link the PIX can ping the HSRP gateway still, but nothing beyond that. Nothing gets it to work until I plug the link back in.
The only thing I could see that might cause an issue is the 'ip verify reverse-path' command on the PIXes. But even the switches cannot ping out beyond the HSRP gateway. Just seems like all inbound routing stops. I am not sure what the colo facility has going on their side but it seems like they are using just some Cisco 6509s and doing HSRP between them. Seems pretty simple but so far this is proving un-usable as is.
The PIX BTW just uses a default route to the HSRP gateway.
View 3 Replies
View Related
Sep 3, 2012
How to Enable IP Accounting in Cre switch 4000 Running cat OS and Cisc ASA 5510 (8.2 )
View 1 Replies
View Related
Feb 2, 2012
I have to configure failover Active/Standby on my ASA 5510.I am wondering how i could do for the outside interface, i mean, actually the ASA1 outside interface is linked directly to our Internet router.So now if i have to add ASA2 connecting to that router i will need a switch between them.I have already a switch for DMZ & LAN.The thing is that i will have to allow 3 switchs ports to communicate with each others.
- 1 for ASA1--outside
- 1 for ASA2--outside
- 1 for Internet router
How could i isolate these 3 ports to make them communicate alone ? Should i use VLAN for that ?And if i use VLAN, will this require to make any change of configuration on my firewalls (ASA1 & ASA2) outside interface ?I am a bit lost with this, if i am correct i will not have to do some "vlan tagging" on the firewall itself ?
View 1 Replies
View Related
May 4, 2011
Our company is in the process of replacing our old firewall with a Cisco ASA since our old firewall can handle only 170 concurrent users and we are expanding fast. Can I know what are the considerations when selecting from the different models of ASA currently we are debating if we should buy a 5510 or a 5520 also can I know if cisco ASA also have a limitations on concurrent users online in a lan like our old firewall. By the way we are a Call Center company(going 500 seats) so we are using VOIP(Asterisk using SIP and IAX).
View 1 Replies
View Related
Oct 18, 2011
I am facing an isssues with 7609 for LAN switching , based on LAN (VRRP/HSRP) feature.Actually we are having ES+ cards (on 7609) and we are using multiple groups(say 350 vrrp groups) running on the router . the routers are connected as router 1>>> mux(which is working as switches)>>> router2
my questing are
1. does their will be "multicast packets" (for VRRP/HSRP group) "from backup router to Master router", when in stable state( ie when Master and backup are already chosen) , or the packet from backup to master should be unicast.I know for sure, the packet from master to back is multicast packets denstination to Multicast IP packet and To MAC address.I am not sure but I think from backup to master it should be multicast
2. what is frequency of these packets( from backup to master)
3. As i have multiper group on a single interface ( we are using q-in-q), when the connectivity from router's is broken, then does all the groups will muticast their active roll in the lan sengment "at once" or it will be in a groups say 100 groups at once, and after few ms few 100's and sone ( as is on OSPF or RIP)
we are in between troubleshooting I hope we get the ans( Actul problem we are seeing in the router's that we have 2 ports on active routers and 2 ports on standby router , but we are not seeing muticast on 1 port on standby router where as all other 3 ports are seeing multicast packets) [code]
View 5 Replies
View Related
Oct 7, 2012
I configure HSRP on Router 2951 as a primary router, and Router 2811 as backup router. But when I am switching off my Primary router the backup router is taking 2 mins to take over form primary router.
[code]....
View 4 Replies
View Related
Jan 8, 2012
I want to setup HSRP between three 6509 switches with a single virtual ip for all the three switches.
know if its possible and share any site or config.
View 1 Replies
View Related
Nov 11, 2012
I'm looking to try and implement ipv6 HSRP on a series of IOS-XR Routers running 4.2.1 following on from successfully setting up IPv6 HSRP on a few cat6509s on VLAN Interfaces in other parts of the network. I have entered the "router hsrp" configuration menu and gone into the interface in question that I'm looking to setup with IPv6 HSRP. Unfortunately, there version 2 or address-family ipv6 commands are not available.
View 2 Replies
View Related
Apr 17, 2012
is it possible to run hsrp on two routers (not l3 switch) connected to a l2 switch ? if so does the two routers need a back to back connection ?
i know if use two l3 switches (instead of routers) and connect to a LAN switch then we need a back to back connection between the L3 switches
also can we use hsrp on vss on 6500?
design
1800 router 1800 ROuter
| |
| |
|---------- L2 switch-------------------------------|
if the above design is acceptable how does the routers know which one is active and which one is standby ? if we need a direct connection between two routers they have to be on a seperate subnet and routers dont allow broadcasts - so how will hsrp work on routers ?
L3 switch --------------------------l3 switch
| |
| |
|---------------L2 switch---------------|
View 8 Replies
View Related
Jan 23, 2012
Planning to implement HSRP in layer 3 switch.
We have two numbers of Cisco 4900 ME Switches. Basically want LAN failover from these devices. There are about 400 users in our network. I have attached rough network topology for your reference(I am not good at Microsoft Visio). Need to know implementation of the HSRP in these switches. Two distribution switches(Cisco 4900 ME Switches) are connected to 4 Access switches and these are connected to the LAN.
View 2 Replies
View Related
Jul 9, 2012
i have 2 cisco 7604 distrubution routers .Both routers are running 310 hsrp groups.
Sundenly there is hsrp flapping which causes high CPU.
What is the limitation of HSRP group on cisco 7604 router .Below is the show ver from the router
----------------- show version ------------------
Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICES-M), Version 12.2(33)SRC2, RELEASE SOFTWARE (fc2)
[Code]......
View 2 Replies
View Related
May 9, 2012
I currently use L3 switches as edge routers to my WAN. I want to use a pair of 3560x switches with IPbase to provide a failover path to my WAN using HSRP at one location but had some problems testing the configuration. My plan is use a virtual address on the LAN interface (VLANx which port gi0/1 accesses) and the WAN interface (VLANy which port gi0/24 accesses). I want switch 1 to be primary since it will have an IPS attached to it, and switch 2 will be backup and used only when switch 1 or the IPS requires maintenance. On both the LAN and WAN sides there is no advanced routing going on, the various hosts just depend on the availability of their respective default gateways, so HSRP should be sufficient to provide a failover in either direction.
In my testing I got 1 or the other link to fail over but not the entire switch. What should my config look like to achieve failover of the entire switch in the event 1 or the other interface goes down, and fail back when the primary links are again available?
View 7 Replies
View Related
May 20, 2013
if the Cisco 3945 router requires any license for it to run HSRP. Also advise which IOS runs HSRP on the 3845 router.
View 3 Replies
View Related
Apr 14, 2013
n our datacenter we've implemented HSRP on 2 6500's for redundancy purposes. Both switches are connected via a trunk. When an interface is administratively brought up, HSRP becomes instable. Below some selective logging:
12:58:01.759 CET: %HSRP-5-STATECHANGE: Vlan32 Grp 32 state Standby -> Active12:58:01.919 CET: %HSRP-5-STATECHANGE: Vlan21 Grp 21 state Standby -> Active12:58:02.031 CET: %HSRP-5-STATECHANGE: Vlan42 Grp 42 state Standby -> Active12:58:02.031 CET: %HSRP-5-STATECHANGE: Vlan18 Grp 18 state Standby -> Active12:58:02.223 CET: %HSRP-5-STATECHANGE: Vlan4 Grp 4 state Standby -> Active
Basically what happens, is that both switches becomes active and thus are forwarding traffic. After a few seconds all is back to normal. It seems they are missing each others "hello messages", so the state change is in this case normal outcome. What I can't figure out', is the root cause. Since it is triggered by bringing up an random interface configured as a dot1q trunk, I'm thinking of STP limits. But the limitations I found are 10.000 active STP logical ports and 1800 virtual ports per slot. In my case this is 2591 logical ports and all the virtual ports per slot are below 1800. This suggest the switch is capable of running this set-up without a problem.
Some extra information:-Sup 720 10GE-Version 12.2(33)SXH2a-No Vss used-No drops on trunked interfaces between the 2 core switches-83 standby groups (max256)
-R-PVST
View 5 Replies
View Related
Mar 3, 2013
I just started a evaluation license for IP Base on my 3850 switches. But i can't configure HSRP cause the commands are not there (I rebooted allready). Do you need enterprise for HSRP on the 3850?
View 7 Replies
View Related
Mar 6, 2013
Had a Sev 1 issue today. We have a bunch of Nexus 5ks connecting to some HP C7000 Chassis for the use of Virual environments. Engineers build and tear down servers during the day, however today, an engineer configured a virtual machine accidently with its IP address as the default gateway. Each pair of nexus switches has one physical SVI per vlan and a HSRP address for the vlan. Of course this engineer configuring the server IP address as the HSRP address killed the vlan... which lead me onto think... are they are tried and tested techniques to protect this from happening on the switch. Enforcing the ARP/MAC of the HSRP address and not allowing it to change or any other device to change it?
View 2 Replies
View Related
May 17, 2012
I have a paif of nexus 5548 configured VPC using the mgmt interface as heartbeat and 2x10G as peerlink. Peer-gateway is also configure on the vpc domain. I have 2 FEX straight thru connection to each Nexus'es. Created 2 VPC and both are up and no suspended vlans. Allowed VLANs in peerlink is 10,20,30,40 and 50. I configure SVI for VLAN 10 on both nexus 10.10.10.100/24 and 10.10.10.101/24 respectively. The problem is when I create HSRP on this VLAN 10 (vip 10.10.10.88), the hello packets are not heard by both nexus, thus both Nexus are acting as active with unknown standby. I can ping both vlan 10 from each Nexus. I tried deleting and putting back the config but no luck.I tried creating another SVI vlan 20 on both nexus and form hsrp, result is same as in vlan 10. I am running version 5.1 release on both nexus.
View 3 Replies
View Related
Jun 7, 2012
I just started a evaluation license for IP Base on my 3850 switches. But i can't configure HSRP cause the commands are not there (I rebooted allready). Do you need enterprise for HSRP on the 3850?
View 2 Replies
View Related
Feb 21, 2013
I have a few old 2600 routers (2621, different IOS's) which I'm now replacing for new one's from the 2900 series (2901, Version 15.1(4)M4).In my configuration I have two IP addresses in my LAN interface and I have HSRP configured within the secondary IP subnet range. It would be something like this:
interface GigabitEthernet0/1
ip address 172.x.x.x x.x.x.x secondary
ip address 10.z.z.z z.z.z.z
[Code].....
Now, in the new 2900 routers, my interface configuration hasn't changed however I can see that the hello packets are now sent with the source within the respective HSRP IP subnet so I had to edit my acl for that:
permit udp 172.x.x.x x.x.x.x host 224.0.0.2 eq 1985
Is there a way I can force the HSRP to work as it previously did in the old IOS's?
View 3 Replies
View Related
May 28, 2012
Is it possible to configure a Cisco2951 and a Cisco2921 in HSRP?
View 1 Replies
View Related
May 3, 2012
It looks like both my HSRP Interfaces (VLAN 600 & 700) cycle through standby --> active ---> speak continuously on one of the two switches. What can be causing this?
*May 4 06:41:24.883: %HSRP-5-STATECHANGE: Vlan700 Grp 0 state Speak -> Standby
*May 4 06:41:33.671: %HSRP-5-STATECHANGE: Vlan700 Grp 0 state Standby -> Active
*May 4 06:41:33.671: %HSRP-5-STATECHANGE: Vlan700 Grp 0 state Active -> Speak
*May 4 06:41:34.251: %HSRP-5-STATECHANGE: Vlan700 Grp 0 state Speak -> Standby
*May 4 06:41:47.691: %HSRP-5-STATECHANGE: Vlan700 Grp 0 state Standby -> Active
*May 4 06:41:47.703: %HSRP-5-STATECHANGE: Vlan700 Grp 0 state Active -> Speak
View 1 Replies
View Related
