Single Internet Connection but HA Infrastructure — Using Bridging Instead of Routing

February 20, 2008 by Greg Ferro · 1 Comment

Hi! If you are new here, you might want to subscribe to the RSS feed to here more from me.

Solution
Using VRF Lite for Internet to separate the Management / Control Plane
Conclusion
Comments (1)

Introduction — The Design Constraint

The customer had decided to build a hosting platform, but could only arrange for a single internet connection to that site due to location. However, all other hardware was duplicated for high availability. After considering the options the following diagram was prepared showing the first pass at the design. This was the Internet Connection (100Mb Ethernet) connected to the router, then connected to a switch, which was interconnected by trunk to a second switch. The first layer of firewalls is then connected.

In this design, the router and the first switch are single points of failure as shown on the diagram

Solution

After some consideration, this design could be improved if the router was connected to both switches. This can be done by creating a bridge interface in the router and using spanning tree to detect and change the topology in the event of an outage. So the design is changed to the following:

Using VRF Lite for Internet to separate the Management / Control Plane

After considering the security and the operational management, it was decided that having the control plane of the Internet facing router possibly accessible from the Internet was not an acceptable risk. This risk could be mitigated by using VRF Lite to separate the internet routing from the management routing.

The configuration shown below is the sample configuration for this configuration:

! ip vrf Internet rd 100:101 !Create the VRF for the Internet traffic ! bridge irb !Enable the bridging software for IOS ! interface GigabitEthernet0/0 description to Internet Provider network next hop 198.18.200.2 ip vrf forwarding Internet !assign the external interface to the VRF ip address 198.18.200.1 255.255.255.252 duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1 description to the left side switch no ip address duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1.100 description Internet connection encapsulation dot1Q 100 bridge-group 1 ! interface GigabitEthernet0/1.2000 description Management connection encapsulation dot1Q 2000 bridge-group 2 ! interface GigabitEthernet0/2 desc to the right side switch no ip address duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/2.100 description Internet connection encapsulation dot1Q 100 bridge-group 1 ! interface GigabitEthernet0/2.2000 description Management Connection encapsulation dot1Q 2000 bridge-group 2 ! interface BVI1 description BVI for internal Internet network ip vrf forwarding Internet ip address 198.18.10.1 255.255.255.128 ! interface BVI2 description BVI for Mgmt ip address 192.168.254.1 255.255.255.224 ! ! ip route 0.0.0.0 0.0.0.0 192.168.254.31 !set the route for device management ip route vrf Internet 0.0.0.0 0.0.0.0 198.18.200.2 !set the default route for the service provider ! bridge 1 protocol ieee bridge 1 route ip bridge 2 protocol ieee bridge 2 route ip !enable the bridging protocols for both the Internet and management connections

Conclusion

The solution has been working well. A recent switch upgrade process meant that no outages were involved. This was a reasonably simple configuration change that has substantially improved the operation of the network. The Security were most pleased with the control plane separation.

Table of Contents

Solution
Using VRF Lite for Internet to separate the Management / Control Plane
Conclusion
Comments (1)

Please rate this post:

Why Rate Posts?

$1 Star - It\\\'s Crud$ $2 Stars - It\\\'s Tosh$ $3 Stars - Something\\\'s missing$ 4 Stars - Needs works

(2 votes, average: 9.00 out of 10)

Loading ...

Filed under CCIE, Design · Tagged with Cisco, Design, IOS

Probably Related Posts on the Same Topic

Blue Coat ProxySG VIP and Cisco Switches Need Multicast Enabled

You have a pair of shiny new ProxySG boxen that you want to setup in active / standby for high availability. You configure it up and everything seems to work, and then it doesn’t, or other equipment on the same network experiences random problems.

What you are having is a Multicast problem with your Ethernet switches, most likely your Cisco switches, that has the problem. How to understand and solve the problem after the jump.

Read the full article

Quiz: Redistributing Static Routes in EIGRP. Which of These Is Better ?

I was working on some changes today with a co-worker and was faced with this interesting question. There are a number of ways to redistribute static routes in EIGRP, but one is definitely better than the other. Tell me why ?

Read the full article

Changing the Break Character in Cisco IOS

Does pressing “Ctrl-Shift-6 & x” bother you ? It bugs the hell the out of me.

Read the full article

IOS:CLI Tip — Terminal Full Help

Table of Contents

Introduction
Comments (1)

Introduction

The Cisco IOS command line has a pretty good help function. Usually you would put a ‘?’ and get a number of options that you can choose from. But when you do not have access to the enable privilege mode, the HELP functions are abbreviated.

This command is useful when you use it in combination with exec privileges. You might want someone to have full privileges but NOT to have enable level access (thus stopping them from making configuration changes). You can set users to have privilege level 15, but not able to enter the enable mode.

The problem is, that then you cannot see all the commands using the online help function. By using the ‘terminal full-help’ command you can give the user full access to the show and debug commands, with online help functions.

…

Table of Contents

Introduction
Comments (1)

Read the full article

Comments

One Response to “Single Internet Connection but HA Infrastructure — Using Bridging Instead of Routing”

Pete Stokes says:

7 May 2008 at 22:09

Great stuff, worked a treat, The Customer !

Despite having a single (but dual PSU) router, this project required single PSU cisco 2950’s and thus a primary power rail failure would take down the SPOF top level switch connected to the router. Greg came up with the goods and it works perfectly.

A recent power down of rails in the comms room went without Internet interruption.

Pete Stokes

IT Networks & Security,
Quinn Insurance,
Republic of Ireland.

Reply

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

A Random Selection of Other Fine Posts (or Not)

Network Dictionary — RITA — Reliable Internetworking Troubleshooting Agent

Reloading IOS Config at CLI for Dynamips/Dynagen

Gestalt IT Field Day and Meet Up

Coming Soon: The Cisco Blade Server? — GigaOM

Network Dictionary — Firewall