Solved: Re: VRRP Groups - ISP router

tomjansen1 · ‎08-21-2019

Hi All,

Please could someone assist with the following ?

I have been provided with a set up for a network where I manage where we have 2 sites with a subnet on each 10.201.0.0/16 and 10.202.0.0/16, connected with a P2P link. The network at the moment has a static route across the Layer 2 link for local traffic but all internet traffic goes out of 1 seperate internet gateways. This is a flat network. We now have a new ISP where they have provided 2x managed routers, 1 at each site. They have provided 1 VRRP group. On the LAN handoff side, the have provided the network 80.169.68.208/28. They have configured one LAN router interface with 80.169.68.209 and the other with 80.169.68.210, the virtual IP is 80.169.68.211. They have provided 2x WAN networks which are 212.36.163.220/30 and 80.169.64.252/30. Dyanamic NAT has been configured by the ISP. The things are need to understand are:

1. Do I need to create a default route on my firewalls to the VRRP virtual IP for internet traffic (The firewalls do all internal routing) ?

2. Do I need to create a second floating static route across the layer 2 link with a higher metric as a back up should 1 router fail ?

3. We have an SSL client VPN so I want to check which IP I should put as the VPN interface ?

Thanks,

Tom

tomjansen1 · ‎08-22-2019

Thank you!

View solution in original post

Reza Sharifi · ‎08-21-2019

Hi,

1. Do I need to create a default route on my firewalls to the VRRP virtual IP for internet traffic (The firewalls do all internal routing) ?

It is hard to understand the setup without a diagram but yes that is correct you want your firewall to point to the virtual IP and not the physical.

2. Do I need to create a second floating static route across the layer 2 link with a higher metric as a back up should 1 router fail ?

That is correct. It should also point the VIP.

3. We have an SSL client VPN so I want to check which IP I should put as the VPN interface ?

Not sure what type of VPN device you are using but usually the outside interface facing the Internet get a public IP address (I think from the /28 the ISP had provided you) and inside interface should have a private IP.

HTH

tomjansen1 · ‎08-22-2019

Hi Reza,

Thanks for your help, please see the attache diagram.

So the /28 subnet was provided by the ISP for the VRRP groups. As each router is connected to a seperate backbone routers, we have a different WAN subnet for our public IPs which are the /30 subnets. The SSL client VPN we have is a Watchguard one but I am not sure how this will work with the different public IPs.

Giuseppe Larosa · ‎08-22-2019

Hello Tom,

you say that you have two sites with a L2 link between them.

I can understand the new ISP is providing two routers one for each site and then is running VRRP between them.

This means that a direct L2 link is present between the two ISP routers.

This L2 link is the one already existing between your sites or it is provided by the new ISP ?

In the first case all you need is on Firewalls is a default static route pointing to VRRP VIP address.

If the VRRP VIP address is the only available next-hop to internet I don't see a need ot use case for a backup floating static route. Until one router is active and reachable at OSI layer 2 the VRRP VIP address is valid.

So a clarification on this point is necessary: the ISP will provide an additional L2 link between sites to run VRRP over it or it will use your existing L2 link?

For the remote VPN I agree with Reza the firewall public address is the candidate for this service or another IP address in the same block if the FW supports this.

Hope to help

Giuseppe

tomjansen1 · ‎08-22-2019

Hi Giuseppe,

This will be utilising an existing layer 2 link. Thank you for the confirmation re the static route, I thought this would be necessary as traffic should be going out of the local router when both routers are available, then if one fails, traffic should flow over the layer 2 link to the back up, but we do not have dynamic routing in place.

Giuseppe Larosa · ‎08-22-2019

Hello Tom,

>> Thank you for the confirmation re the static route, I thought this would be necessary as traffic should be going out of the local router when both routers are available, then if one fails, traffic should flow over the layer 2 link to the back up, but we do not have dynamic routing in place.

in this case you should use IP SLA and tracking on the primary default route and have a secondary floating static route to the other router.

In simple words you would not need to use the VRRP VIP address as next-hop.

You would have a primary route using local router next-hop and a secondary using the remote site ISP router.

Warning: not all FWs allow this. For example Cisco ASA would require next-hops to be out of different interfaces and this is not the case.

If you have Cisco ASA firewalls of other firewalls with the same limitation you can only use a next-hop and in this case you will use the VRRP VIP address.

Hope to help

Giuseppe

tomjansen1 · ‎08-22-2019

Hi Gisueppe,

Thanks so each firewall would use the physical interface of the local gateway router so in this case 80.169.68.209, then 80.169.68.210 then only present the virtual gateway to the clients ?

The the floating static to the physical interface at the other site ?

Giuseppe Larosa · ‎08-22-2019

Hello Tom,

I see from the network diagram that you have attached that there are two VRRP groups one with Master ISP router1 (CPE1) and one with Master ISP router2 (CPE2)

at this point each firewall can use the locally Master VIP as next-hop for the primary default static route and the other VIP address as next-hop for the backup route using a floating default static route (with greater AD).

I'm sorry for the unclear explanation in my previous post.

The clients see the firewall as their default gateway in any case (if the firewalls are working in routed mode/NAT mode)

Hope to help

Giuseppe

tomjansen1 · ‎08-22-2019

Thank you!