Re: HSRP and Policy Route

On May 2, 12:58 pm, frell...@xxxxxxxxx wrote:
On May 2, 12:29 pm, Trendkill <jpma...@xxxxxxxxx> wrote:



On May 2, 11:46 am, Trendkill <jpma...@xxxxxxxxx> wrote:

On May 2, 11:28 am, frell...@xxxxxxxxx wrote:

I don't see how HSRP is even working for the 5.1 subnet without
trunking between the two MSFCs? You can see in your config that both
routers think they are the local owner of the 5.1 subnet, therefore
HSRP is not working for that access vlan because they are not
connected to each other in that VLAN to exchange HSRP packets. This
is your issue.- Hide quoted text -

- Show quoted text -

They are not running as VLAN's so there is nothing to trunk. HSRP is
working flawlessly, it is the policy route that is messing me up. The
ports are running as physical L3 ports ("no switchport" command which
is default in the 6509 on the SUP720). The box is running more like a
48 port router than a switch. There is also no STP enabled since
there is no need for it.

I should also mention that the reason I need the policy route is that
these boxes also peer with BGP to my 2 ISP's (one on each box). Right
now I am taking only default route from the ISP's but I guess if I
can't get this policy route to work I can take full routes from the
ISPs and setup a default route to the Checkpoint cluster. I was
trying to avoid doing that if possible though.

Thanks,
Joe

I'm sorry, I misread your configuration above. HSRP does look OK
based on your paste, reviewing again.......

So I'm assuming you have a switch in the 10.X network that goes to the
checkpoint cluster, and another that goes to the 5.X network. These
two 6509s have router interfaces in each, the connections on these
interfaces you pasted are just layer 3 based on your comments. When
you fail over, are you simply raising the standby cost and failing
over that way, or actually shutting down an interface on one or the
other? The nodes on 5.X that you are testing are all off one switch
downstream that is connected to both routers? I know you aren't
trying to focus on L2, but I'm trying to understand traffic in and out
of the subnet as you are saying that when Core 2 owns the 5.X network,
and Core 1 still owns the 10.X network returning from the firewall,
traffic fails. Additionally, you have passive interfaces on these
routers, so is the checkpoint stuff static routed back? A diagram
would help tremendously......I'm not sold that it is your policy map
yet.

Lastly, and in regards to your internet configuration, how are you
advertising out to the internet world? Firewalls definitely do not
like single direction traffic, and if you are going out one firewall
to one ISP, but back in another, your traffic will be put into the bit
bucket. This would explain why going out one core and therefore ISP1
would work, but if it fails over and goes out the other path, it could
very well return through the primary path and cause issues. Just some
shots in the dark.- Hide quoted text -

- Show quoted text -

I really appreciate all your assitance with this. I think you are
right on now with our config. From the 6509 I have runs out to simple
stackable Linksys switches with no vlans. So the 10.5.1 subnet goes
to one switch (with both routers on it) and the 10.10.1.x subnet goes
to another. The firewalls are in a cluster with a VIP both inside and
outside. They are using static routes to point back to the HSRP
VIPs. There should be no asymetric traffic through the firewalls
since there is only one path in and out.

When I failover for testing I shutdown the other interface to simulate
a true failure. So the 10.5.1 subnet will be failed over but the
10.10.1 subnet will not be failed over. When I do failover and to a
traceroute out from 10.5.1 I go one hop (10.5.1.1) then stars the rest
of the way.

I would be happy to send you a diagram in a PDF. Where should I send
it?

Thanks,
Joe

I'm fairly certain that is your issue. When 5.1 fails over but 10.x
does not, the traffic still returns to Core1 because he owns your
layer 3 HSRP and you are not running dynamic routing protocols for it
to go to Core 2. Right then, he does not know how to route to 5.X
because his interface is down, and you aren't exchanging routes with
your peer over those networks. Perhaps you are exchanging routes some
other way, but I think this is where you need to focus.

.

Relevant Pages

  • Re: HSRP and Policy Route
    ... You can see in your config that both ... routers think they are the local owner of the 5.1 subnet, ... now I am taking only default route from the ISP's but I guess if I ... of the subnet as you are saying that when Core 2 owns the 5.X network, ...
    (comp.dcom.sys.cisco)
  • Re: HSRP and Policy Route
    ... routers think they are the local owner of the 5.1 subnet, ... connected to each other in that VLAN to exchange HSRP packets. ... now I am taking only default route from the ISP's but I guess if I ... of the subnet as you are saying that when Core 2 owns the 5.X network, ...
    (comp.dcom.sys.cisco)
  • Re: HSRP and Policy Route
    ... routers think they are the local owner of the 5.1 subnet, ... now I am taking only default route from the ISP's but I guess if I ... So I'm assuming you have a switch in the 10.X network that goes to the ... of the subnet as you are saying that when Core 2 owns the 5.X network, ...
    (comp.dcom.sys.cisco)
  • Re: HSRP and Policy Route
    ... You can see in your config that both ... routers think they are the local owner of the 5.1 subnet, ... now I am taking only default route from the ISP's but I guess if I ... of the subnet as you are saying that when Core 2 owns the 5.X network, ...
    (comp.dcom.sys.cisco)
  • Re: Ruting via virtual interfaces ????
    ... always chooses the first route in the routing table. ... > Additionaly there are cnfigured two virtual interfaces with addresses ... > When communicating with the same subnet, ... > How to make the Solaris to route over virtual interfaces ??? ...
    (comp.unix.solaris)