Using HSRP for Home Agent Redundancy

Problem

You want to set up redundant Home Agents to improve network availability for your Mobile Nodes.

Solution

For this recipe, we must configure two nearly identical Home Agent routers. Here is the configuration of the first one:

RouterHome1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. RouterHome1(config)#interface FastEthernet0/0 RouterHome1(config-if)#ip address 192.168.9.2 255.255.255.0 RouterHome1(config-if)#standby 1 ip 192.168.9.1 RouterHome1(config-if)#standby 1 name HA-GROUP RouterHome1(config-if)#exit RouterHome1(config)#router mobile RouterHome1(config-router)#exit RouterHome1(config)#router eigrp 99 RouterHome1(config-router)#redistribute mobile RouterHome1(config-router)#network 192.168.9.0 RouterHome1(config-router)#network 192.168.10.0 RouterHome1(config-router)#default-metric 10000 10 255 1 1500 RouterHome1(config-router)#no auto-summary RouterHome1(config-router)#exit RouterHome1(config)#ip mobile home-agent address 192.168.9.1 RouterHome1(config)#ip mobile home-agent redundancy HA-GROUP virtual-network RouterHome1(config)#ip mobile virtual-network 192.168.10.0 255.255.255.0 RouterHome1(config)#ip mobile host 192.168.10.1 192.168.10.254 virtual-network 192.168.10.0 255.255.255.0 RouterHome1(config)#ip mobile secure home-agent 192.168.9.3 spi 100 key ascii cisco RouterHome1(config)#ip mobile secure host 192.168.10.110 spi 100 key ascii cookbook RouterHome1(config)#ip mobile secure host 192.168.10.111 spi 100 key ascii cookbook RouterHome1(config)#ip mobile secure host 192.168.10.112 spi 100 key ascii cookbook RouterHome1(config)#ip mobile secure host 192.168.10.113 spi 100 key ascii cookbook RouterHome1(config)#ip mobile secure host 192.168.10.114 spi 100 key ascii cookbook RouterHome1(config)#ip mobile secure host 192.168.10.115 spi 100 key ascii cookbook RouterHome1(config)#end RouterHome1#

And here is the second Home Agent router:

RouterHome2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. RouterHome2(config)#interface FastEthernet0/0 RouterHome2(config-if)#ip address 192.168.9.3 255.255.255.0 RouterHome2(config-if)#standby 1 ip 192.168.9.1 RouterHome2(config-if)#standby 1 name HA-GROUP RouterHome2(config-if)#exit RouterHome2(config)#router mobile RouterHome2(config-router)#exit RouterHome2(config)#router eigrp 99 RouterHome2(config-router)#redistribute mobile RouterHome2(config-router)#network 192.168.9.0 RouterHome2(config-router)#network 192.168.10.0 RouterHome2(config-router)#default-metric 10000 10 255 1 1500 RouterHome2(config-router)#no auto-summary RouterHome2(config-router)#exit RouterHome2(config)#ip mobile home-agent address 192.168.9.1 RouterHome2(config)#ip mobile home-agent redundancy HA-GROUP virtual-network RouterHome2(config)#ip mobile virtual-network 192.168.10.0 255.255.255.0 RouterHome2(config)#ip mobile host 192.168.10.1 192.168.10.254 virtual-network 192.168.10.0 255.255.255.0 RouterHome2(config)#ip mobile secure home-agent 192.168.9.2 spi 100 key ascii cisco RouterHome2(config)#ip mobile secure host 192.168.10.110 spi 100 key ascii cookbook RouterHome2(config)#ip mobile secure host 192.168.10.111 spi 100 key ascii cookbook RouterHome2(config)#ip mobile secure host 192.168.10.112 spi 100 key ascii cookbook RouterHome2(config)#ip mobile secure host 192.168.10.113 spi 100 key ascii cookbook RouterHome2(config)#ip mobile secure host 192.168.10.114 spi 100 key ascii cookbook RouterHome2(config)#ip mobile secure host 192.168.10.115 spi 100 key ascii cookbook RouterHome2(config)#end RouterHome2#

The configurations of the Mobile Router and the Foreign Agent router are identical to those seen in previous recipes in this chapter.

Discussion

If you plan to configure a large Mobile IP infrastructure, then a natural design would be to have a centralized Home Agent router by using virtual-networks to support a large pool of Mobile Nodes. In this design, it quickly becomes apparent that the Home Agent router itself is a serious single point of failure for the entire Mobile IP network. Fortunately, Cisco provides a way to make the Home Agent redundant.

In this recipe, we modify the Home Agent configuration shown in Recipe 24.2 to allow you to use a pair of dual redundant Home Agent routers. In this example, the two routers are configured in an Active-Standby relationship, so that all traffic uses either one router or the other. Later in this recipe, we will discuss ways to make this an Active-Active relationship instead.

In Recipe 24.2, we configured the Home Agent address on a Loopback interface. The reason for this was simple. Because the tunnels terminate on this address, we wanted to make sure that it was always available. Now, however, we want to be able to flip our tunnels to the backup Home Agent router, which means that we need to put it on a physical interface:

RouterHome1(config)#interface FastEthernet0/0 RouterHome1(config-if)#ip address 192.168.9.2 255.255.255.0 RouterHome1(config-if)#standby 1 ip 192.168.9.1 RouterHome1(config-if)#standby 1 name HA-GROUP

We have configured HSRP on this interface and assigned the group name HA-GROUP to it. The HSRP virtual IP address for this group is the Home Agent address. On the other router, we have configured a different physical IP address, but the same virtual address and HSRP group:

RouterHome2(config)#interface FastEthernet0/0 RouterHome2(config-if)#ip address 192.168.9.3 255.255.255.0 RouterHome2(config-if)#standby 1 ip 192.168.9.1 RouterHome2(config-if)#standby 1 name HA-GROUP

This way, the virtual address is available if this Ethernet interface is available on either router. Please refer to Chapter 22 for more information on HSRP.

The rest of the Home Agent configuration is remarkably similar to what we previously saw in Recipe 24.2. So we will just look at the differences, and there are two:

RouterHome1(config)#ip mobile home-agent redundancy HA-GROUP virtual-network RouterHome1(config)#ip mobile secure home-agent 192.168.9.3 spi 100 key ascii cisco

These two new commands do two things. The first one associates the HSRP group, HA-GROUP, with the IP Mobility Home Agent and configures it to support a virtual network. The second one configures a security association and authentication key for the relationship between the two redundant Home Agents. This is critical because it is this that allows the two routers to share information about the IP Mobility bindings.

To configure an Active-Active relationship between the two Home Agents, it is necessary to configure two distinct Home Agent addresses. One group of Mobile Nodes will use the first Home Agent address, and another group will use the second address.

First, the interface configuration must be changed to support two HSRP groups with different names and different virtual IP addresses:

RouterHome1(config)#interface FastEthernet0/0 RouterHome1(config-if)#ip address 192.168.9.2 255.255.255.0 RouterHome1(config-if)#standby 1 ip 192.168.9.1 RouterHome1(config-if)#standby 1 priority 110 RouterHome1(config-if)#standby 1 preempt RouterHome1(config-if)#standby 1 name HA-GROUP RouterHome1(config-if)#standby 2 ip 192.168.9.5 RouterHome1(config-if)#standby 2 priority 90 RouterHome1(config-if)#standby 2 preempt RouterHome1(config-if)#standby 2 name HA-GROUP2 RouterHome1(config-if)#exit

Then the second router is the same, but with a different physical address and different HSRP priority values:

RouterHome2(config)#interface FastEthernet0/0 RouterHome2(config-if)#ip address 192.168.9.3 255.255.255.0 RouterHome2(config-if)#standby 1 ip 192.168.9.1 RouterHome2(config-if)#standby 1 priority 90 RouterHome2(config-if)#standby 1 preempt RouterHome2(config-if)#standby 1 name HA-GROUP RouterHome2(config-if)#standby 2 ip 192.168.9.5 RouterHome2(config-if)#standby 2 priority 110 RouterHome2(config-if)#standby 2 preempt RouterHome2(config-if)#standby 2 name HA-GROUP2 RouterHome2(config-if)#exit

We have configured HSRP priorities so that during normal operation, the first router will be active for the first virtual IP address and the second router will be active for the second address. We have also configured the preempt keyword on both groups so that if one of the routers does fail, they will return to the desired Active-Active relationship after it recovers. Please refer to Chapter 22 for more information on this option.

Then we simply have to configure the routers to advertise the second virtual IP address as a Home Agent address:

RouterHome1(config)#ip mobile home-agent redundancy HA-GROUP virtual-network address 192.168.9.1 RouterHome1(config)#ip mobile home-agent redundancy HA-GROUP2 virtual-network address 192.168.9.5

And, finally, we must configure some of our Mobile Nodes to point to the first address and some to point to the second address for their respective Home Agents.

See Also

Recipe 24.2; Recipe 24.3; Recipe 24.4; Chapter 22

Related

Категории