Hi Reza, Ciscofreak

Thanks for the replies and sorry for the late response.

Can i check

a) is it a norm to request for more then 1 ip on the point to point connection with the ISP ?

b) if we are not able to set HRSP/VRRP on the WAN side, how do we ensure redundancy/auto fail-over  if 1 of the router or its WAN interface fail.

c) if we are unable to achieve router redundancy for the WAN side, is there any other reason to have the switch place infront of the routers ?

-- p.s ciscofreak, for IP/SLA - are we able to configure it across 2 routers (as per my diagram above)
 if the primary router is down, how do we enable route between standby router and ISP ? - given that there is only 1 link and 1 IP to be use at the router's wan interface.

Regards,

Noob

Hi,

The biggest issue with this design is that you have a single connection to a single provider (single point of failure). So no matter how much redundancy you provide on the LAN side, if the connection to the provider fails, you will lose everything.  It all depends on how important redundancy and having up time is for your business.  If your business can handle few minutes, or few hours of downtime than the cost to add more ISPs and Internet connections is no justified.  If having Internet up time has a very high priority in your business than a better design is to have multiple ISPs connecting to multiple routers configured for redundancy and fail over.

HTH

Just to add -

you can't actually setup the design you have because you don't have two spare IPs so it's not a question of how to provide redundancy ie. HSRP or IP SLA, it's that you cannot use both routers.

Yes you can use HSRP on the LAN side but one of the routers won't have an IP on it's WAN side so if the router with the IP fails then switching across to the other router does nothing.

For this to work you either need -

1) more IPs for the public IP subnet

or

2) the switch between you and the ISP would have to be a L3 switch

Jon

Hi Jon, Reza,

Thanks for your wonderful feedback.

Aside to Jon, when you mentioned that the switch is to be a L3 switch, does that means that I would have 3 networks altogether, 1 between the L3 switch and the ISP and 1 switch to R1 and 1 for switch to R2.

On the LAN side, HRSP / VRRP will be configured. So if R1 is down, traffic can still go through R2 -> Switch -> ISP ?

========================================================================

Also, since we cannot have VRRP/HRSP on the WAN side due to IP limitation, is there any other reasons why 1 would put a switch infront to connect to the ISP instead of to routers directly ?Which is the main reason i started out to find the reason of having ISP connection connect to switch instead of routers .. (since i cant implement HRSP/VRRP on the WAN side, why do i need a switch on the WAN side for ?)

P.S. Its been awhile since i heard from you, glad to see you around.

Regards,

Noob

It's been a while since I last saw a post from you :-)

If you used a L3 switch then the standard way to set it up would be to use P2P links each using a separate subnet so yes each link would have it's own IP subnet.

This would mean outbound traffic to the ISP would use the HSRP active router but inbound traffic from the ISP could use either router.

Not a problem usually as long as you don't have a stateful device in place and you don't.

Then you would use HSRP tracking on the routers and track the interfaces connected to the L3 switch.

If you really wanted to make sure return traffic from the ISP used the HSRP active router then you could influence the routing metrics or run HSRP between the L3 routers and the L3 switch

As for the switch on the WAN side it would have to be a L3 switch because of what I explained in my previous post. That would allow you to use both routers so you now have redundancy with those but not with the L3 switch. Even if you had two public IPs to use and deployed your original design you still only have redundancy with the routers.

Not saying that is a bad thing ie. redundancy is usually a good thing but it really depends on what you are trying to do with your network as a whole.

Jon

Hi Jon,

Thanks for the wonderful reply. Yeap have a recent change of job.. but still learning go on ;)

With respect to what you have describe, i have come up with a illustration as below

q1) Please let me know if it is correct

q2) Can you also let me know will a stateful device affect the configuration ?

My highlevel understanding is this - if the routers are stateful device, then if traffic go through R0 and out but return traffic come back through R1, then R1 might not allow the traffic to reach the internal LAN - am i right ?

Normally, what does stateful devices monitor "to make it stateful" ?  source,ip, ports, protocols, macaddress, sequences number ?

If you really wanted to make sure return traffic from the ISP used the HSRP active router then you could influence the routing metrics or run HSRP between the L3 routers and the L3 switch

q3) Can you elaborate further , i thought the L3 routers connected to the L3 switch are on their individual network, how do we run HRSP between them ? Do you mean now the routers would have to be in the same network out the outer interface side as well ?

Regards,

Noob

q1) yes it's correct and obviously you would need routing setup properly.

q2) I was thinking primarily of a device like a firewall and a firewall usually needs to see both parts of a connection ie. traffic both ways.

A stateful firewall simply tracks a connection in terms or src IP and port and dst IP and port. With TCP it also keeps tracks of certain TCP flags used in the packet headers.

So it "knows" if return traffic is part of an existing connection or not and can act accordingly.

q3) yes I meant you would need a common vlan between the routers and the L3 switch if you wanted to use HSRP so instead of L3 ports on the switch you would have an SVI for that vlan.

Jon

Hi Jon,

Thank you for your reply!
 

I was thinking primarily of a device like a firewall and a firewall usually needs to see both parts of a connection ie. traffic both ways.
A stateful firewall simply tracks a connection in terms or src IP and port and dst IP and port. With TCP it also keeps tracks of certain TCP flags used in the packet headers.
So it "knows" if return traffic is part of an existing connection or not and can act accordingly.

q2) in my design above, where would a firewall normally sits ? and base on where it is sitted, how would it have affected the connection if it is connect as a stateful firewall

yes I meant you would need a common vlan between the routers and the L3 switch if you wanted to use HSRP so instead of L3 ports on the switch you would have an SVI for that vlan.

q3) with what you have mentioned, does that means that there will be a total 2 network configured.

1st network  is with the L3 switch to the ISP
2nd network is with the L3 switch and the 2 routers - with them in the same VLAN and a SVI configured.

Incoming connection from the ISP will be routed to the 2nd network through the SVI and vice versa.

So in this sense ,i would have HRSP/VRRP on the LAN side as well as on the WAN side (as in the outer interfaces of the 2 routers to the switch)   -- but still a single point of failure for the L3 switch and the ISP.

Am i right ?

Regards,
Noob

q2) in your setup it would probably be in place of the L3 switch and you would use a common vlan between the firewall and the routers together with HSRP.

Where it is placed really depends on your topology ie. you only have two routers which are responsible for routing internal subnets so the firewall has to go between those and the ISP in which case you don't need the L3 switch.

To get the situation where you need to be concerned about asymmetric traffic and stateful devices it really needs to be more of  a complicated topology.

q3) yes to what you say.

Jon