VRRP for two routers with many subinterfaces

kapydan88 · ‎07-26-2019

Hello.

What is the best decision for implementing two routers in vrrp with many subinterfaces in each one?

balaji.bandi · ‎07-27-2019

How about considering VRF here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Giuseppe Larosa · ‎07-27-2019

Hello Kapydan88,

if have two routers both connecting to multiple Vlan based subinterfaces and in each of them you want to run VRRP there are two possible design choices:

a) use both routers as Active / Master VRRP in different Vlans subsets, in this way both routers are working and you can achieve some load sharing

b) have all the VRRP groups on all Vlans use the same router as Active/Master. All the load in upstream direction is in a single device. It may be easier to troubleshoot, however if the number of subinterfaces is high (more then 30) you can face issues at the NIC MAC address filter level (for each active group the corresponding VIP MAC address has to be added to the NIC MAC address filter). Besides this you have less performance because a single device is used.

Because you are mentioning routers and not multilayer switches I would go for option A to achieve better performance.

VRRP might overcome the MAC address limitation when the VRRP VIP address is equal to the IP address of the VRRP master for the group (this option is not available in HSRP, HSRP supports only using the BIA with standby XX use-bia) because it might use the interface MAC address instead of the VRRP MAC address.

Hope to help

Giuseppe

kapydan88 · ‎07-28-2019

Hi.

Thanks for answer. Right now we have one 4331 as "router on a stick" and old 3750 with 12 sfp. And we are thinking of reserving it with the second 4331. If i understood correctly, in the second router we need to create a subinterface in the same as the first 4331 vlan + vrrp subinterface.

But there is a problem - this router is the owner of DHCP pools (i know that it is wrong, but it is impossible to change it at this time).

balaji.bandi · ‎07-28-2019

If i understood correctly, in the second router we need to create a subinterface in the same as the first 4331 vlan + vrrp subinterface. <<-- yes this correct you need to create same as otehr rouer. - make sure you have all the VLAN reachability on the both router (on Switch config)

But there is a problem - this router is the owner of DHCP pools (i know that it is wrong, but it is impossible to change it at this time). <-- you can still keep this as Local IP address, But suggest to have another dedicated DHCP Server if possible, so can have HA availability.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kapydan88 · ‎08-01-2019

Thnx a lot

balaji.bandi · ‎08-01-2019

let us know how it goes, if resolved mark as solution.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kapydan88 · ‎08-02-2019

For example, its part of config from current router

0/0/0 - external interface

0/0/01 - internal interface

GigabitEthernet0/0/0 15.14.13.12 YES NVRAM up up
GigabitEthernet0/0/1 192.168.1.1 YES NVRAM up up
GigabitEthernet0/0/1.2 192.168.2.1 YES NVRAM up up
Gi0/0/1.10 192.168.10.1 YES NVRAM up up
Gi0/0/1.11 192.168.11.1 YES NVRAM up up
Gi0/0/1.12 192.168.12.1 YES NVRAM up up
Gi0/0/1.13 192.168.13.1 YES NVRAM up up
Gi0/0/1.15 192.168.15.1 YES NVRAM up up
Gi0/0/1.20 192.168.20.1 YES NVRAM up up
Gi0/0/1.21 192.168.21.1 YES NVRAM up up
...

R1_4331#sh run int gi0/0/1.10
Building configuration...

Current configuration : 165 bytes
!
interface GigabitEthernet0/0/1.10
description wifi_hotspot
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.10.4
end

R1_4331#sh run int gi0/0/1.20
Building configuration...

Current configuration : 151 bytes
!
interface GigabitEthernet0/0/1.20
description controller
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip helper-address 192.168.10.4
end

Port settings into switch

interface GigabitEthernet1/0/1
description UPLINK_to_R1
switchport trunk encapsulation dot1q
switchport mode trunk
end

If we will add second router, its settings will be as follows (+appropriate setting for switch port)

GigabitEthernet0/0/0 15.14.13.11 YES NVRAM up up
GigabitEthernet0/0/1 192.168.1.2 YES NVRAM up up
GigabitEthernet0/0/1.2 192.168.2.2 YES NVRAM up up
Gi0/0/1.10 192.168.10.2 YES NVRAM up up
Gi0/0/1.11 192.168.11.2 YES NVRAM up up
Gi0/0/1.12 192.168.12.2 YES NVRAM up up
Gi0/0/1.13 192.168.13.2 YES NVRAM up up
Gi0/0/1.15 192.168.15.2 YES NVRAM up up
Gi0/0/1.20 192.168.20.2 YES NVRAM up up
Gi0/0/1.21 192.168.21.2 YES NVRAM up up

R2_4331#sh run int gi0/0/1.10
Building configuration...

Current configuration : 165 bytes
!
interface GigabitEthernet0/0/1.10
description wifi_hotspot_2
encapsulation dot1Q 10
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.10.4
end

R2_4331#sh run int gi0/0/1.20
Building configuration...

Current configuration : 151 bytes
!
interface GigabitEthernet0/0/1.20
description controller_2
encapsulation dot1Q 20
ip address 192.168.20.2 255.255.255.0
ip helper-address 192.168.10.4
end

And the last one - config with vrrp for both routers. In this particular case R1 is main router, R2 is backup. VRRP group number on the subinterface is identical number of vlan.

R1_4331#sh run int gi0/0/1.10
Building configuration...

Current configuration : 165 bytes
!
interface GigabitEthernet0/0/1.10
description wifi_hotspot
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip helper-address 192.168.10.4
vrrp 10 ip 192.168.10.254
vrrp 10 preempt
end

R1_4331#sh run int gi0/0/1.20
Building configuration...

Current configuration : 151 bytes
!
interface GigabitEthernet0/0/1.20
description controller
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip helper-address 192.168.10.4
vrrp 20 ip 192.168.20.254
vrrp 20 preempt
end

...

R2_4331#sh run int gi0/0/1.10
Building configuration...

Current configuration : 165 bytes
!
interface GigabitEthernet0/0/1.10
description wifi_hotspot_2
encapsulation dot1Q 10
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.10.4
vrrp 10 ip 192.168.10.254
vrpp 10 priority 90
end

R2_4331#sh run int gi0/0/1.20
Building configuration...

Current configuration : 151 bytes
!
interface GigabitEthernet0/0/1.20
description controller_2
encapsulation dot1Q 20
ip address 192.168.20.2 255.255.255.0
ip helper-address 192.168.10.4
vrrp 20 ip 192.168.20.254
vrpp 20 priority 90
end

Giuseppe Larosa · ‎08-02-2019

Hello kapydan88,

in VRRP pre-emption is enabled by default you don't need to enable it and in any case it would be needed on both devices.

If you make all VRRP groups master/active on Router1 you need to take care how many vlan based subifs and VRRP groups are present as I have explained in previous post ( how many VRRP MAC addresses can be installed in the NIC MAC address filter ???)

also you need to replicate DHCP scopes on both routers to have redundancy on this aspect.

A possible approach is to divide each subnet in two sub-pools with R1 assigning IP addresses in first pool and R2 assigning IP addresses in second pool for each Vlan/subnet.

This approach may fit your needs if the IP address usage per subnet is less then 50%.

Hope to help

Giuseppe

parekhu136 · ‎01-24-2025

Hi @Giuseppe Larosa

We have two Layer 3 switches with BGP running over two ISP connections. My boss wants HA between the two Layer 3 gateway switches, so I planned to configure VRRP on both.

However, I’m stuck because the gateway Layer 3 switches are connected to the LAN-side firewall with public IPs, and the Layer 3 switch interfaces also have public IPs assigned. My boss isn’t providing 2-3 additional public IPs for VRRP as it's costly.

We also have two VLANs configured on the switches.

How can I achieve redundancy in case one Layer 3 gateway switch fails, without needing extra public IPs?

Thanks!

Richard Burts · ‎01-24-2025

Am I understanding your topology correctly that you have 2 layer 3 switches running EBGP with 2 ISP (and IBGP between the switches)? In that case you already have redundancy. I am not sure that adding VRRP adds much value (especially considering the cost of additional Public IPs).

HTH

Rick

parekhu136 · ‎01-24-2025

@Richard Burts @Noo noo between two layer 3 switches no routing protocol is configured.We dont want to configure any routing protocol

Richard Burts · ‎01-24-2025

I am very confused. You describe 2 switches running BGP and then you say there is no routing protocol.

HTH

Rick

parekhu136 · ‎01-29-2025

We are using two L3 switch with no ibgp between each other ....we just want
active passive kind of thing...so we have configured same ip on both the
layer 3 switches ....we want when one fail other should take
over.....switch stacking functionality is not there....also our boss not
providing extra public ip

Richard Burts · ‎01-29-2025

Thanks for the clarification. I am not convinced that VRRP would really do what you want, and if you do not have extra Public IP then it is not an option. It seems to me, based on the very little that I know about your environment, that the best way to achieve HA would be to run IBGP between the switches.

HTH

Rick