Solved: Re: HSRP, VRRP or alternatives

3moloz123 · ‎07-12-2011

Hi,

I have a simple setup as seen below. The ASA has aprox 80 subinterfaces, giving each server/customer bascially a /30 net.

I do have one extra 2800 and one extra ASA5510, so I'd really like to utilize them for high(er) availability/Fault tolerance.

I've used UCARP for Linux quite much, and with it the two (or more) units have one IP each on an internal heartbeat network, while only the active would have an IP on the actual subnets. It seems to me that the equivallent solutions for Cisco requires each unit to have one IP in every subinterface/subnet, thus forcing me to rellocate some 80 customers to /29 networks.

Did I understand it correctly? Is this my only choice?

Thanks,

Could it be simpler?

[Transit 1] [Transit 2] [Transit 3]

\ | /

[Cisco 2800]

|

[ASA5510]

|

[C2960S]

Giuseppe Larosa · ‎07-13-2011

Hello 3Moloz123,

your understanding is correct:

ASA HA pair uses one IP per unit per IP subnet/subinterface

HSRP on routers requiire actually three addresses per IP subnet/subinterface one VIP and one per router

VRRP may work with two ip addresses per IP subnet/subinterface

so you actually need re-addressing to introduce redunandancy

Hope to help

Giuseppe

View solution in original post

Jon Marshall · ‎07-13-2011

If you have another ASA and do not want to readdress you can simply not configure a standby IP on the other ASA. So you can keep your /30s and still have redundancy. However there is one main caveat to this.

A failure of the active ASA would still lead to failover to the standby ASA (note you would need to address both sides of the failover link but this should not be a problem). But the ASA is also capable of failing over if an interface (or number of interfaces) fail. This monitoring is done by using the active and standby IP addresses. If you don't configure a standby IP then you won't get this type of failover but you will still get failover for complete failure of the active ASA as previously mentioned.

Jon

View solution in original post

Giuseppe Larosa · ‎07-13-2011

Hello 3Moloz123,

your understanding is correct:

ASA HA pair uses one IP per unit per IP subnet/subinterface

HSRP on routers requiire actually three addresses per IP subnet/subinterface one VIP and one per router

VRRP may work with two ip addresses per IP subnet/subinterface

so you actually need re-addressing to introduce redunandancy

Hope to help

Giuseppe

3moloz123 · ‎07-13-2011

Thank you.

ROBERTO TACCON · ‎07-13-2011

Check also GLBP as alternative

http://en.wikipedia.org/wiki/Gateway_Load_Balancing_Protocol

http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_glbp.html

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6600/product_data_sheet0900aecd803a546c.html

NOTE:

You can do load balancing with the HSRP,VRRP manually or with GLBP automatically.

For HSRP and VRRP, two groups (2 gateway ip addresses) are needed and half of the clients point to gateway 1 and the rest point to gateway 2 even they are belonging to the same VLAN.

With GLBP, only one gateway is needed. Router with higher priority takes up all the ARP request from clients and reply with different virtual MAC address (using Round Robin by default) from the GLBP group

HSRP and GLBP support interface tracking, if one of the wan interface having problems, the priority of the internal interface will get deducted and causing alternative interface takes care of the traffic

HTH

Roberto Taccon

3moloz123 · ‎07-13-2011

Roberto, I'm not sure I fully understand the difference in concepts. From your explanation it seems the only address in each subnet would be the virtual one, and not one per router. Is that correct?

I have (yet) no need of load balancing, my *only* problem is that I'd like not to re-address all 80 customer /30 netoworks, and 5 link nets to transit providers and peers, but allow for fault tolerance or at least quick recover. (I do not expect both routers to have active BGP sessions etc, because that would clearly require me to re-address all networks).

Jon Marshall · ‎07-13-2011

If you have another ASA and do not want to readdress you can simply not configure a standby IP on the other ASA. So you can keep your /30s and still have redundancy. However there is one main caveat to this.

A failure of the active ASA would still lead to failover to the standby ASA (note you would need to address both sides of the failover link but this should not be a problem). But the ASA is also capable of failing over if an interface (or number of interfaces) fail. This monitoring is done by using the active and standby IP addresses. If you don't configure a standby IP then you won't get this type of failover but you will still get failover for complete failure of the active ASA as previously mentioned.

Jon

3moloz123 · ‎07-13-2011

Hi Jon,

If I understand you correctly, I can use the secondary ASA for failover without let it having an IP on each subnet (instead, it will really only have an IP on the interface assigned for failover monitoring/heartbeat).

I don't quite understand what you mean by '(note you would need to address both sides of the failover link but this should not be a problem)', would I need to do some re-adressing in case of failure/failover?

So the main drawback is, that the secondary will not take over in case an interface (other than the monitor/heartbeat one) fails, so in essence if outside interface fails I would have to failover manually?

Jon Marshall · ‎07-13-2011

I don't quite understand what you mean by '(note you would need to address both sides of the failover link but this should not be a problem)', would I need to do some re-adressing in case of failure/failover?

Sorry, i simply meant you would need to address both of the interfaces used for failover as you already mentioned. You wouldn't need to do any readdressing of your existing interfaces.

Yes, the main drawback is no interface failover. If there is a specific interface already in use that you could readdress then you can monitor on this but other than that you hvae redundancy only for a complete failure of the active ASA.

Note also that if you do this when running a "sh failover" on the ASA all the non-monitored interfaces will simply show as "waiting".

Jon

3moloz123 · ‎07-13-2011

Thanks Jon, this really helped me with the ASAs. You don't happen to know of resources that discuss this specific setup, ie without standyby IPs?

And btw, any suggestions for how to solve my routers? Started thinking, it's basically only the 80 customers that I'm unwilling re-adress, I could pretty easily re-adress all link nets pretty quickly.

Still, would be interesting to know if there's any solution that does not require one IP in each subnet/subinterface, thus only the active part using a virtual IP per subnet/subinterface.

Jon Marshall · ‎07-13-2011

Not sure of resources, should be as simple as configuring failover normally without the additional standby IPs. Attached is the link for configuring failover on the ASA -

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html

As for routers, you would need at least 2 spare IPs for the physical interfaces on the routers so i think you are out of luck on that one i'm afraid.

Jon

3moloz123 · ‎07-13-2011

Just wanted to add that I just spoke to one of our transit providers, who pointed out that we can setup a new /30 link net for the new router and establish eBGP over it too. We're then only required to run HSRP, VRRP (or said mechanism) on the 'inside' interface.

Smooth, so I only have to re-adress the link net between the router(s) and the asa(s), and I can then do like you said Jon and simply not configure the failover IP on the ASA (sub-)interfaces.

Big thanks,