06-21-2012 01:09 AM - edited 03-04-2019 04:44 PM
Hi All,
I have a query regarding the usage of Public IPs and the typical Cisco gateway redundancy protocols such as VRRP, HSRP and GLBP. My query is over the wasted use of Public IPs by these specific protocols.
My design is as follows -
2 x Cisco 4948E switches (Collapsed Core)
2 x Cisco ASA 5525X Series Firewalls (These can be ignored for this query)
The access layer will consists of Cisco customer equipment (Routers/Firewalls) and a Dell Blade Chassis (This can be ignored)
I have a layer 2 trunk connection between my two Cisco 4948E switches and have strategically configured spanning tree to block where i find appropriate (I have not used a layer 3 link between the switches for good reason). I have a number of ISPs upstream who advertise large blocks of IP space to me, which I then take and subnet into smaller /29 networks for assignment to customers.
I am looking at using HSRP for gateway redundancy for customers who do not reside on the blade chassis and instead use their own equipment such as a Cisco Router or Firewall. From the /29 (6 useable IPs) I would use one of those IP addresses for the gateway and give that to the customers as their gateway address to utilise on their equipment, and that would leave them with 5 useable IPs for NAT useage (Similar to a normal ISP). However, with the use of HSRP, VRRP or GLBP they all require 3 IP addresses for their configuration. See below -
Switch#1
Interface Vlan 201
ip Address 1.1.1.2 255.255.255.248
standby 1 ip 1.1.1.1
standby 1 priority 150
standby 1 preempt delay minimum 300
Switch#2
Interface Vlan 201
ip address 1.1.1.3 255.255.255.248
standby 1 ip 1.1.1.1
standby 1 priority 50
As you can see from the above configuration, the use of HSRP requires 3 IP addresses which then limits my customers to the use of ONLY 3 public IP addresses. This is unacceptable for them, therefore I need a solution that would allow me to retain the 5 useable public IP addresses for use by the customers.
I have seen several configuration examples which perform the following -
Switch#1
interface Vlan 201
ip address 192.168.1.2 255.255.255.0
standby 2 ip 192.168.1.1
standby 2 ip 1.1.1.1 secondary
Switch#2
interface Vlan 201
ip address 192.168.1.3 255.255.255.0
standby 2 ip 192.168.1.1
standby 2 ip 1.1.1.1 secondary
This configuration concerns me and it is unacceptable to utilise a "workaround" if it is not a fully supported configuration.
Can anybody shed any light on a possible solution for this problem?
Thanks
Nick
06-21-2012 02:30 AM
It would appear I have jumped the gun with a famous ass-u-me!
VRRP can be configured with the same interface IP address as Virtual address therefore only utilizing one IP address in total.
Not sure the side effects to this yet though. See below -
Switch#1
int vlan 201
ip address 1.1.1.1 255.255.255.248
vrrp 201 ip 1.1.1.1
Switch#2
int vlan 201
ip address 1.1.1.1 255.255.255.248
vrrp 201 ip 1.1.1.1
I have tested this and it works perfectly in a failover scenario. My only concern is when i perform a "sh vrrp" the following is displayed -
Switch#1
Vlan201 - Group 201
State is Master
Virtual IP address is 1.1.1.1
Virtual MAC address is 0000.5e00.01c8
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 255 (cfgd 150)
Master Router is 1.1.1.1 (local), priority is 255
Master Advertisement interval is 1.000 sec
Master Down interval is 3.003 sec
Switch#2
Vlan201 - Group 201
State is Master
Virtual IP address is 1.1.1.1
Virtual MAC address is 0000.5e00.01c8
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 255 (cfgd 50)
Master Router is 1.1.1.1 (local), priority is 255
Master Advertisement interval is 1.000 sec
Master Down interval is 3.003 sec
It shows both switches as being the master. If i plug a laptop into an access port on vlan 201 and configure it with the gateway IP address as 1.1.1.1 and an IP in the same subnet I can successfully ping the address. If i then shut down the vlan interface the laptop drops a single ping before VRRP switches over to the other switch. If I then bring the vlan interface back online pre-emption kicks in and the gateway switches back over.
This seems to work seamlessly but my concern would be in a production environment. Has anybody had any experience of a configuration like this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide