Layer 3 Redundancy in a /30 Subnet 1

[SweetRevelation]

Hello. I have a situation where our ISP gives us an IP address with a /30 mask and they point any requests for our IP address space to our end of the /30. Inside our router we have all our public IPs.

Does anyone know of a protocol I can run where I can make our end of that /30 subnet redundant?

I was looking into using HSRP or VRRP or GBLP to have a virtual IP address they could forward to, but it appears as if all these protocols require the IP addresses of the interfaces to be on the same network as the virtual IP they are advertising.

Being as the communication is usually multicast I do not see why they are designed this way where I cannot apply a DIFFERENT private network between the two interfaces and yet advertise a virtual IP for our end of the /30.

Does anyone know of a work-around in any of these protocols or another protocol that could be used with cisco equipment to solve this problem?

I appreciate your help.

-
Chris Moran

 

[Alterac]

You could request a /29 from the ISP, then get redundant ASA firewalls in active/standby mode.



----------------------------------
Bill

 

[green6]

Chris,

Define what type of redundancy you require then you can determine your required design.

Do you need link, equipment, ISP redundancy or maybe all three.

Unless I'm missing some information in your question you would need a second link to your ISP in order to have, at a minimum, link redundancy.

Once you have a secondary link there are different methods to achieve redundancy. For example, HSRP or running a routing protocol between your router and your ISPs router.

That would give you link redundancy, you might also want router redundancy, ISP redundancy, etc.

Greg

 

[justvistin]

We run HSRP for our clients and (even with redundant links) they all have a /30 range on the WAN interface of the routers.

The HSRP config usually sits on the customer LAN range, so that the HSRP IP, physical IP's etc are all taken from the customer IP address space, rather than the /30 WAN link.

The HSRP may monitor the WAN link in some way (reachability of the default gateway, or physical status of the WAN Port) but the HSRP config doesn't require the use of IP's from the /30 range.

As per Greg's post, it's difficult to comment more without further details, but having a /30 WAN subnet shouldn't necessarily be an issue.

 

[SweetRevelation]

Thanks for your responses.

We'd like to have link, equipment, and ISP redundancy. What I'm trying to figure right now is a way to have 2 Cisco 2851s at the top of our network connecting us to our ISPs.

That way if one of the routers were to fail it would not bring down access to our access to and from the internet. I was thinking of running HSRP or VRRP on the inside and outside interfaces of the 2800's but given the fact that our connection to our ISP is on a /30 I don't have the ability to do that on the outside.

Any thoughts on how to acheive this redundancy without having to negotiate a /29 from our ISP?

 

[SweetRevelation]

I think justvistin has actually pointed me in the right direction with his post. I have used HSRP before but the tracking ability of it was limited... what he said about reachability of default gateway caused me to look into HSRP tracking and it looks like it has come a long way with RTR and SAA.

I am looking into implementing tracking and failover with each ISP on its own 2851 and only running HSRP on the inside.

I will update with how it works.

Thank you, justvistin.

-
Chris

 

[justvistin]

Thanks for the star. You should also be aware that HSRP may only be one half of the equation. HSRP can fail over the routing 'out' from your LAN, but you may also need to consider managing the data flow in from your ISP should one of your routers fail.

For example, if the A-leg router fails, then the HSRP IP could pass to the B-leg router and LAN data would exit via the B-leg insead. However, unless the ISP configures the return path appropriatly, they may still try and route traffic back via the failed A-leg. How this is addressed will depend on they type of routing in place with your ISP(s), but there needs to be an equivalent mechanism to manage the data flow into your LAN as well when 1 router fails.

If you are advertising the LAN ranges via BGP to your ISP then this may provide you with an alternative. For example, if you are splitting your LAN range in half, with half of each range going in/out of each leg (under normal conditions) then you could configure the following:

Router A:

advertises the whole range via BGP
advertises the 'top' half of the range via BGP (longer prefix).

Router B:

advertises the whole of the range via BGP
advertises the 'bottom' half of the range via BGP (longer prefix).

Under normal conditions, the A-leg and B-leg will each receive traffic for their half of the IP address space, as the longer prefix advertised will be preferred on each leg. Should the A-leg fail, the BGP advertisement will disappear for the 'top' half of the range. Routing should then fail over to the B-leg, which is still advertising the whole range.

Which ever configuration is implemented, test it several times before it's live. Easiest way of doing this is to run traceroutes out from the LAN and in via a BGP looking glass/3rd party traceroute site to check the path on the return leg.

In addition to making sure the rotuing fails over, also make it fails back and remeber to test sample IP's from all the ranges involved.

Apologies if this was a long post - longer to say than to configure I suspect...