Re: HSRP and Policy Route
- From: Trendkill <jpmason@xxxxxxxxx>
- Date: 2 May 2007 09:29:13 -0700
On May 2, 11:46 am, Trendkill <jpma...@xxxxxxxxx> wrote:
On May 2, 11:28 am, frell...@xxxxxxxxx wrote:
I don't see how HSRP is even working for the 5.1 subnet without
trunking between the two MSFCs? You can see in your config that both
routers think they are the local owner of the 5.1 subnet, therefore
HSRP is not working for that access vlan because they are not
connected to each other in that VLAN to exchange HSRP packets. This
is your issue.- Hide quoted text -
- Show quoted text -
They are not running as VLAN's so there is nothing to trunk. HSRP is
working flawlessly, it is the policy route that is messing me up. The
ports are running as physical L3 ports ("no switchport" command which
is default in the 6509 on the SUP720). The box is running more like a
48 port router than a switch. There is also no STP enabled since
there is no need for it.
I should also mention that the reason I need the policy route is that
these boxes also peer with BGP to my 2 ISP's (one on each box). Right
now I am taking only default route from the ISP's but I guess if I
can't get this policy route to work I can take full routes from the
ISPs and setup a default route to the Checkpoint cluster. I was
trying to avoid doing that if possible though.
Thanks,
Joe
I'm sorry, I misread your configuration above. HSRP does look OK
based on your paste, reviewing again.......
So I'm assuming you have a switch in the 10.X network that goes to the
checkpoint cluster, and another that goes to the 5.X network. These
two 6509s have router interfaces in each, the connections on these
interfaces you pasted are just layer 3 based on your comments. When
you fail over, are you simply raising the standby cost and failing
over that way, or actually shutting down an interface on one or the
other? The nodes on 5.X that you are testing are all off one switch
downstream that is connected to both routers? I know you aren't
trying to focus on L2, but I'm trying to understand traffic in and out
of the subnet as you are saying that when Core 2 owns the 5.X network,
and Core 1 still owns the 10.X network returning from the firewall,
traffic fails. Additionally, you have passive interfaces on these
routers, so is the checkpoint stuff static routed back? A diagram
would help tremendously......I'm not sold that it is your policy map
yet.
Lastly, and in regards to your internet configuration, how are you
advertising out to the internet world? Firewalls definitely do not
like single direction traffic, and if you are going out one firewall
to one ISP, but back in another, your traffic will be put into the bit
bucket. This would explain why going out one core and therefore ISP1
would work, but if it fails over and goes out the other path, it could
very well return through the primary path and cause issues. Just some
shots in the dark.
.
- Follow-Ups:
- Re: HSRP and Policy Route
- From: frellnet
- Re: HSRP and Policy Route
- References:
- HSRP and Policy Route
- From: frellnet
- Re: HSRP and Policy Route
- From: Trendkill
- Re: HSRP and Policy Route
- From: frellnet
- Re: HSRP and Policy Route
- From: Trendkill
- Re: HSRP and Policy Route
- From: frellnet
- Re: HSRP and Policy Route
- From: Trendkill
- HSRP and Policy Route
- Prev by Date: Re: Terminal Server Handshake
- Next by Date: Re: HSRP and Policy Route
- Previous by thread: Re: HSRP and Policy Route
- Next by thread: Re: HSRP and Policy Route
- Index(es):
Relevant Pages
|
