Nov 182012
 

Initially there were about 250 hosts in the network attached to switch SW1. The Gateway router HSRP_A is the active router for the network. As the number of hosts increased in the network attached to SW1, a new subnet (10.0.2/24) is introduced as a secondary address in the gateway routers. To achieve some load sharing HSRP_B will be the active router for the group 1 for the network 10.0.1/24 and HSRP_A active for the group 2 which is the 10.0.2/24 network.

The ospf cost advertised from HSRP_A is better than the one advertised from HSRP_B. Thus the return traffic from the network attached to R5 will always take the path via HSRP_A. now let’s look at this scenario where some traffic filtering is in place.

HSRP_A has a filtering rule which states only to allow inbound TCP sessions if it was originated from the networks attached to SW1. For this HSRP_A has an outbound access-list attached to f0/1 named OUTBOUND_ACL_OUT which reflects the outgoing tcp sessions to a reflexive access-list named TCP.

ip access-list extended OUTBOUND_ACL_OUT
 permit ospf any any
 permit icmp any any
 permit tcp any any reflect TCP
 
interface FastEthernet0/1
 ip access-group OUTBOUND_ACL_OUT out

 

The packets inbound to interface f0/1 is evaluated against the reflected access-list TCP.

ip access-list extended OUTBOUND_ACL_IN
 evaluate TCP
 permit ospf any any
 permit icmp any any
 
interface FastEthernet0/1
 ip access-group OUTBOUND_ACL_IN in

With this configuration let us check the problem with asynchronous routing. First HSRP_A will be the active router for both groups. This means we do not have any asynchronous routing.

 
HSRP_A#sh standby brief
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Fa0/0       1    120 P Active  local           10.0.1.3        10.0.1.1
Fa0/0       2    120 P Active  local           10.0.1.3        10.0.2.1

Let us look the way packets route in the network. we can use the extended ping to record the route the packet takes.

H1#ping
Protocol [ip]:
Target IP address: 5.5.5.5 
Repeat count [5]: 1
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: yes
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: r
Number of hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet has IP options:  Total option bytes= 39, padded length=40
Record route: <*>
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)

Reply to request 0 (76 ms).  Received packet has options
Total option bytes= 40, padded length=40
Record route:
   (10.0.1.10) !exit interface IP of H1 towards 5.5.5.5
   (20.0.51.2) !exit interface IP of HSRP_A towards 5.5.5.5
   (5.5.5.5)  
   (20.0.51.5) !exit interface IP of R5 towards 10.0.1.10
   (10.0.1.2)  !exit interface IP of HSRP_A towards 10.0.1.10
   (10.0.1.10) <*>
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
End of list

Success rate is 100 percent (1/1), round-trip min/avg/max = 76/76/76 ms
H1#

 

As expected the goes to HSRP_A which is the active router. It uses it’s exit interface which has the IP 20.0.51.2. Finally the packet arrives at R5. It the routes back to HSRP_A as it advertices a better ospf cost. The same will be for H2 as HSRP_A is active for both groups.
Let us make HSRP_B the active router for the 10.0.1/24 network

HSRP_B(config)#interface f0/0
HSRP_B(config-if)#standby 1 priority 150
*Mar  2 00:03:49.778: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active

H1#ping  
Protocol [ip]:
Target IP address: 5.5.5.5
Repeat count [5]: 1
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: yes
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: r
Number of hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet has IP options:  Total option bytes= 39, padded length=40
Record route: <*>
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)

Reply to request 0 (84 ms).  Received packet has options
Total option bytes= 40, padded length=40
Record route:
   (10.0.1.10)
   (20.0.52.3)
   (5.5.5.5)
   (20.0.51.5)
   (10.0.1.2)
   (10.0.1.10) <*>
   (0.0.0.0)
   (0.0.0.0)
   (0.0.0.0)
End of list

Success rate is 100 percent (1/1), round-trip min/avg/max = 84/84/84 ms
H1#

Now we can see that the packet transverses via HSRP_B and comes back via HSRP_A. With the filtering in place as HSRP_A does not create a reflective tcp session entry, it will deny the inbound tcp packet from R5. We can see this if we debug ip icmp in R5 while telneting from H1.

R5#
*Mar  2 00:08:10.306: ICMP: dst (5.5.5.5) administratively prohibited unreachable rcv from 20.0.51.2

But the telnet from H2 will succeed as the outgoing packet takes the path via HSRP_A.
H2#telnet 5.5.5.5
Trying 5.5.5.5 ... Open

R5>
 

HSRP_A#sh access-list TCP
Reflexive IP access list TCP
     permit tcp host 5.5.5.5 eq telnet host 10.0.2.10 eq 50962 (15 matches) (time left 297)
HSRP_A#

We can see that HSRP_A does  have a dynamic entry for the tcp session originated from H2.

To solve this problem, we could use another physical interface for the second network. Thus each HSRP group will have its own interface.