No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

DIFFERENT SUBNET FOR VIRTUAL IP IN VRRP

Publication Date:  2015-10-26 Views:  181 Downloads:  2
Issue Description

DIFFERENT SUBNET FOR VIRTUAL IP IN VRRP

BACKGROUND:

Enterprise Customer XX purchased Huawei IP solution to replace existing Cisco network and following fully redundant design was finalized.

1-      Gateway Router : ADSL and Leased line uplinks were terminated on Mushroom Gateway Router.

2-      DMZ Switches : Due to lesser number of ports on Mushroom router we used two stacked switches between firewall and mushroom router for full redundancy.

3-      Firewalls: Two firewalls were used to provide complete redundancy using VRRP.

4-      Core Switches : Two core switches were used in CSS to provide fully redundant core.

5-      Access Switches : Access Switches with 10 G uplinks were used.


TECHNICAL CHALLENGE:

We proposed VRRP and HA between firewall to provide active/backup firewall. But at the time of implementation, we were provided only one public IP for firewalls though we required three public IPs to run VRRP. As per Hedex and Universal standard, virtual ip and physical ip should be in same subnet for VRRP.

Thus it was a challenge how to run VRRP when only one Public IP is provided for interconnection between  Gateway router and Firewalls through DMZ switches

Solution

FINAL SOLUTION:

We did some experimentation and it worked perfectly fine. We used different subnet for physical ips and public ip for virtual ip as mentioned below,

ACTIVE FIREWALL:

HA is also implemented between firewalls.

#

interface Vlanif999

 ip address 10.10.10.1 255.255.255.0

 vrrp vrid 99 virtual-ip 213.42.235.5 255.255.255.240 active

#

BACKUP FIREWALL:

 

#

interface Vlanif999

 ip address 10.10.10.2 255.255.255.0

 vrrp vrid 99 virtual-ip 213.42.235.5 255.255.255.240 standby

#

CONCLUSION

 

We can use virtual IP of different subnet in VRRP especially in such cases where there is a limitation of IP Addresses.

END