Re: Gateway Redundancy Query

Nicholas Beard · ‎06-21-2012

Hi All,

I have a query regarding the usage of Public IPs and the typical Cisco gateway redundancy protocols such as VRRP, HSRP and GLBP. My query is over the wasted use of Public IPs by these specific protocols.

My design is as follows -

2 x Cisco 4948E switches (Collapsed Core)

2 x Cisco ASA 5525X Series Firewalls (These can be ignored for this query)

The access layer will consists of Cisco customer equipment (Routers/Firewalls) and a Dell Blade Chassis (This can be ignored)

I have a layer 2 trunk connection between my two Cisco 4948E switches and have strategically configured spanning tree to block where i find appropriate (I have not used a layer 3 link between the switches for good reason). I have a number of ISPs upstream who advertise large blocks of IP space to me, which I then take and subnet into smaller /29 networks for assignment to customers.

I am looking at using HSRP for gateway redundancy for customers who do not reside on the blade chassis and instead use their own equipment such as a Cisco Router or Firewall. From the /29 (6 useable IPs) I would use one of those IP addresses for the gateway and give that to the customers as their gateway address to utilise on their equipment, and that would leave them with 5 useable IPs for NAT useage (Similar to a normal ISP). However, with the use of HSRP, VRRP or GLBP they all require 3 IP addresses for their configuration. See below -

Switch#1

Interface Vlan 201

ip Address 1.1.1.2 255.255.255.248

standby 1 ip 1.1.1.1

standby 1 priority 150

standby 1 preempt delay minimum 300

Switch#2

Interface Vlan 201

ip address 1.1.1.3 255.255.255.248

standby 1 ip 1.1.1.1

standby 1 priority 50

As you can see from the above configuration, the use of HSRP requires 3 IP addresses which then limits my customers to the use of ONLY 3 public IP addresses. This is unacceptable for them, therefore I need a solution that would allow me to retain the 5 useable public IP addresses for use by the customers.

I have seen several configuration examples which perform the following -

Switch#1

interface Vlan 201

ip address 192.168.1.2 255.255.255.0

standby 2 ip 192.168.1.1

standby 2 ip 1.1.1.1 secondary

Switch#2

interface Vlan 201

ip address 192.168.1.3 255.255.255.0

standby 2 ip 192.168.1.1

standby 2 ip 1.1.1.1 secondary

This configuration concerns me and it is unacceptable to utilise a "workaround" if it is not a fully supported configuration.

Can anybody shed any light on a possible solution for this problem?

Thanks

Nick

Nicholas Beard · ‎06-21-2012

It would appear I have jumped the gun with a famous ass-u-me!

VRRP can be configured with the same interface IP address as Virtual address therefore only utilizing one IP address in total.

Not sure the side effects to this yet though. See below -

Switch#1

int vlan 201

ip address 1.1.1.1 255.255.255.248

vrrp 201 ip 1.1.1.1

Switch#2

int vlan 201

ip address 1.1.1.1 255.255.255.248

vrrp 201 ip 1.1.1.1

I have tested this and it works perfectly in a failover scenario. My only concern is when i perform a "sh vrrp" the following is displayed -

Switch#1

Vlan201 - Group 201

State is Master

Virtual IP address is 1.1.1.1

Virtual MAC address is 0000.5e00.01c8

Advertisement interval is 1.000 sec

Preemption enabled

Priority is 255 (cfgd 150)

Master Router is 1.1.1.1 (local), priority is 255

Master Advertisement interval is 1.000 sec

Master Down interval is 3.003 sec

Switch#2

Vlan201 - Group 201

State is Master

Virtual IP address is 1.1.1.1

Virtual MAC address is 0000.5e00.01c8

Advertisement interval is 1.000 sec

Preemption enabled

Priority is 255 (cfgd 50)

Master Router is 1.1.1.1 (local), priority is 255

Master Advertisement interval is 1.000 sec

Master Down interval is 3.003 sec

It shows both switches as being the master. If i plug a laptop into an access port on vlan 201 and configure it with the gateway IP address as 1.1.1.1 and an IP in the same subnet I can successfully ping the address. If i then shut down the vlan interface the laptop drops a single ping before VRRP switches over to the other switch. If I then bring the vlan interface back online pre-emption kicks in and the gateway switches back over.

This seems to work seamlessly but my concern would be in a production environment. Has anybody had any experience of a configuration like this?