Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3835
Views
45
Helpful
20
Replies

Same public subnet at Primary and Secondary Failover

Go to solution
Mokhalil82
Level 4
Level 4

‎01-14-2015 04:49 AM - edited ‎03-07-2019 10:13 PM

Hi

 

We have a primary and a secondary site. The core switch at each site goes into a firewall and then a router which then connects to the ISP router. Our 2 cores switches are connected via two other L2 switches as there is not extra link so we have configured eigrp over the L2 link for L3 connectivity between the cores.

 

Core -------> Firewall --------> Our Router -------------ISP Router

 

Now we have a 217.56.32.16 /28 public LAN subnet from the ISP. At the primary site .17 is the gateway to the internet and .18 is our external IP on our router. 

On the backup side we haven,t connected our router to the ISP router yet but looking into failover. I know HSRP is an option but we thought about confugring IP SLA on the primary core switch so that if connectivity to the gateway fails, the traffic is router to the secondary gateway via the secondary core switch.

Is this viable, although the same LAN subnet range is assigned by the ISP for both sites can we still keep them separate in that sense or will the primary router see the secondary router, it won't see it internally unless configured to but im sure its not going to externally as well as its an ISP LAN IP, then have separater WAN ips on both their routers which are in different subnets.

 

Thanks

Labels:
0 Helpful
20 Replies 20

Go to solution
Mokhalil82
Level 4
Level 4
In response to Jon Marshall

‎01-15-2015 11:10 AM

Yes the ISP routers are at separate sites so one is the primary site and the other is the back, or Production and DR.

The issue I have internally is all my access switches are connected to my Core switches one. Only in the event of the link going out on the primary side fails, we want the traffic hitting that primary core to be router to the secondary core and use the gateway there. To achieve that I was planning to use IP SLA which I tested in a lab and works. 

I will send the echo to the .17 address which is the ISP gateway on the primary, on losing the echo core switch 1 will drop the primary default route and use another route with a lower AD that point to my backup site to the secondary core which then has a default route to the backup router.

At this point also the ISP HSRP failover should have moved the .17 address to the ISP secondary router and I should be hitting the same gateway. That was the plan.

But if a switch is required the i suppose id have to use 2 switches, 1 at each site and then have a link between the switches

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎01-15-2015 11:17 AM

You have 2 practical options as far as I can see -

1) two new switches with a new link between sites as you say.

or

2) as you are not bothered about your internal servers you are hosting simply ask for a different set of IP addresses for the backup site and not use HSRP.

To me the second option is by far the easiest although it does mean talking with your ISP again for addressing and not running HSRP.

I don't know whether the ISP understands that you do not have the equipment or the line for this to work currently ?

Jon

Go to solution
Mokhalil82
Level 4
Level 4
In response to Jon Marshall

‎01-15-2015 11:38 AM

Yes the ISP routers are located 1 at each site as are our routers. We do have spare fiber already between the sites so I would really just need to put a switch at each site. 

But saying that, as the core switches are also located 1 at each site, would it not then work connecting my routers to the core switch at each site bypassing the firewall and same with the ISP routers and ensure only the HSRP vlan runs across it. That saves us 2 switches. In a sense does that not achieve the same objective. 

So the link between our routers and ISP routers runs via my existing core switches that already have a trunk between them.

Please see attachment Capture 3, the red links are what i mean

Preview file
37 KB
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎01-15-2015 11:56 AM

I understand what you mean and believe it or not I was going to add it as an option but it is a really bad idea.

The reasons are -

1) traffic flow. So internet traffic from inside goes through the firewall to your WAN router then has to go back to the core then to the ISP router then to the internet.

Coming back it comes from the ISP to your core then to your WAN router then to your firewall.

That is a lot of extra hops.

2) the real problem though is that you now have a direct connection from the internet to your core switch without going through the firewall.

Even if you rule out someone gaining access to the core switch imagine what a denial of service attack could do to your core switches because there would be no firewall to stop it.

In short just don't do it :-)

I would choose one of the other options whichever you are more comfortable going with.

As I say using different IPs at the secondary site seems the easiest to me.

If you go down the HSRP route be aware that traffic flows are also not necessarily going to be optimal ie.

you have a failure in your infrastructure so you switch to the secondary site. But the ISP router is still up so traffic goes to the secondary site and then has to go back across the new link to the primary site to the get to the HSRP active router.

And return traffic does the same thing I assume although I have no idea how the ISP is handling the routing.

In addition I'm not sure what running HSRP on your WAN routers gives you ie. if the firewall fails in your primary site then your routers are still up so running HSRP. Traffic is redirected to the secondary site so the IP used is the IP on the WAN interface of your secondary router which is not the HSRP VIP. The ISP should send it back to the right router but HSRP has given you nothing here.

I am still working out all the failure scenarios but I am not entirely convinced HSRP is the best solution.

All that said if you feel that is the best solution then by all means do it because it is you that has to support it.

Jon

0 Helpful

Go to solution
Mokhalil82
Level 4
Level 4
In response to Jon Marshall

‎01-15-2015 01:15 PM

That's a great explanation John and now I understand why it is a really bad idea to go back into the core and out.

I understand that HSRP on our end gives me nothing, hence why I feel the IP SLA is a better solution for my network type. But again a bit for me to have a think about all the scenarios, but what I am currently seeing is every scenario seems to have its pros and cons so I think ive got to give way somewhere. Il have a think through this properly tomorrow. 

I appreciate your help Jon. Thankyou

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎01-15-2015 10:58 AM

Actually it is two sites so you need a switch at either end and a link between them.

Can you verify where the ISP routers are ie. is it one in each site ?

How far are these sites apart ?

Can you run another cable between them ?

Jon

Customers Also Viewed These Support Documents