Enterprise Customer XX purchased Huawei IP solution to replace existing Cisco network and following fully redundant design was finalized.
1- Gateway Router : ADSL and Leased line uplinks were terminated on Mushroom Gateway Router.
2- DMZ Switches : Due to lesser number of ports on Mushroom router we used two stacked switches between firewall and mushroom router for full redundancy.
3- Firewalls: Two firewalls were used to provide complete redundancy using VRRP.
4- Core Switches : Two core switches were used in CSS to provide fully redundant core.
5- Access Switches : Access Switches with 10 G uplinks were used.
We proposed VRRP and HA between firewall to provide active/backup firewall. But at the time of implementation, we were provided only one public IP for firewalls though we required three public IPs to run VRRP. As per Hedex and Universal standard, virtual ip and physical ip should be in same subnet for VRRP.
Thus it was a challenge how to run VRRP when only one Public IP is provided for interconnection between Gateway router and Firewalls through DMZ switches
We did some experimentation and it worked perfectly fine. We used different subnet for physical ips and public ip for virtual ip as mentioned below,
HA is also implemented between firewalls.
ip address 10.10.10.1 255.255.255.0
vrrp vrid 99 virtual-ip 18.104.22.168 255.255.255.240 active
ip address 10.10.10.2 255.255.255.0
vrrp vrid 99 virtual-ip 22.214.171.124 255.255.255.240 standby
We can use virtual IP of different subnet in VRRP especially in such cases where there is a limitation of IP Addresses.